AOS-CX 10.09 IP Services Guide (4100i, 6000, 6100)

AOS-CX 10.09 IP ServicesGuide

4100i, 6000, 6100 Switch Series

Published: February 2022Edition: 2

| 2

Copyright Information

©Copyright 2022 Hewlett Packard Enterprise Development LP.

Open Source Code

This product includes code licensed under theGNU General Public License, the GNU Lesser General PublicLicense, and/or certain other open source licenses. A completemachine-readable copy of the source codecorresponding to such code is available upon request. This offer is valid to anyone in receipt of thisinformation and shall expire three years following the date of the final distribution of this product versionby Hewlett Packard Enterprise Company. To obtain such source code, send a check ormoney order in theamount of US $10.00 to:

Hewlett Packard Enterprise Company6280 America Center DriveSan Jose, CA 95002USA

NoticesThe information contained herein is subject to changewithout notice. The only warranties for HewlettPackard Enterprise products and services are set forth in the express warranty statements accompanyingsuch products and services. Nothing herein should be construed as constituting an additional warranty.Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.

Confidential computer software. Valid license fromHewlett Packard Enterprise required for possession, use,or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer SoftwareDocumentation, and Technical Data for Commercial Items are licensed to theU.S. Government undervendor's standard commercial license.

Links to third-party websites take you outside theHewlett Packard Enterprise website. Hewlett PackardEnterprise has no control over and is not responsible for information outside theHewlett PackardEnterprise website.

AcknowledgmentsIntel®, Itanium®, Optane™, Pentium®, Xeon®, Intel Inside®, and the Intel Inside logo are trademarks ofIntel Corporation in theU.S. and other countries.

Microsoft® andWindows® are either registered trademarks or trademarks of Microsoft Corporation in theUnited States and/or other countries.

Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.

Java® and Oracle® are registered trademarks of Oracle and/or its affiliates.

UNIX® is a registered trademark of TheOpen Group.

All third-party marks are property of their respective owners.

Contents

Contents

Contents 3

About this document 7Applicable products 7Latest version available online 7Command syntax notation conventions 7About the examples 8Identifying switch ports and interfaces 8

IRDP 10Configuring IRDP 11IRDP commands 12

diag-dump irdp basic 12ip irdp 13ip irdp holdtime 13ip irdpmaxadvertinterval 14ip irdpminadvertinterval 15ip irdp preference 16show ip irdp 17

IPv6 Router Advertisement 18Configuring IPv6 RA 18IPv6 RA scenario 20IPv6 RA commands 20

ipv6 address <global-unicast-address> 20ipv6 address autoconfig 21ipv6 address link-local 22ipv6 nd cache-limit 23ipv6 nd dad attempts 24ipv6 nd hop-limit 24ipv6 ndmtu 25ipv6 nd ns-interval 25ipv6 nd prefix 26ipv6 nd ra dns search-list 28ipv6 nd ra dns server 28ipv6 nd ra lifetime 29ipv6 nd ramanaged-config-flag 30ipv6 nd ramax-interval 31ipv6 nd ramin-interval 32ipv6 nd ra other-config-flag 33ipv6 nd ra reachable-time 34ipv6 nd ra retrans-timer 34ipv6 nd router-preference 35ipv6 nd suppress-ra 36show ipv6 nd global traffic 37show ipv6 nd interface 37show ipv6 nd interface prefix 40show ipv6 nd ra dns search-list 41

AOS-CX 10.09 IP Services Guide | (4100i, 6000, 6100 Switch Series) 3

Contents | 4

show ipv6 nd ra dns server 42

sFlow 43sFlow agent 43Configuring the sFlow agent 44sFlow scenario 45sFlow scenario 2 46sFlow agent commands 48

clear sflow statistics 48sflow 48sflow agent-ip 50sflow collector 51sflow disable 52sflow header-size 52sflowmax-datagram-size 53sflow polling 54sflow sampling 54show sflow 55

DHCP client 57DHCP client 57

DHCP client commands 57ip dhcp 57show ip dhcp 58

DHCP relay agent 58DHCPv4 relay agent 59

Configuring theDHCPv4 relay agent 60DHCPv4 relay scenario 1 61DHCPv4 relay scenario 2 62DHCPv4 relay commands 63

DHCPv6 relay agent 71Configuring theDHCPv6 relay agent 71DHCPv6 relay scenario 1 71DHCP relay (IPv6) commands 72http-proxy 76

DHCP snooping 79DHCP server interoperation 79DHCPv4 snooping conditions for dropping DHCPv4 packets 79Protocol details 80DHCPv4 snooping commands 80

clear dhcpv4-snooping binding 80clear dhcpv4-snooping statistics 81dhcpv4-snooping 82dhcpv4-snooping (in config-vlan context) 83dhcpv4-snooping allow-overwrite-binding 83dhcpv4-snooping authorized-server 84dhcpv4-snooping external-storage 85dhcpv4-snooping flash-storage 87dhcpv4-snoopingmax-bindings 88dhcpv4-snooping option 82 89dhcpv4-snooping trust 90dhcpv4-snooping verify mac 91show dhcpv4-snooping 92show dhcpv4-snooping binding 93show dhcpv4-snooping statistics 94

DHCPv6 snooping commands 95clear dhcpv6-snooping binding 95clear dhcpv6-snooping statistics 96dhcpv6-snooping 96dhcpv6-snooping (in config-vlan context) 97dhcpv6-snooping authorized-server 98dhcpv6-snooping external-storage 99dhcpv6-snooping flash-storage 101dhcpv6-snoopingmax-bindings 102dhcpv6-snooping trust 103show dhcpv6-snooping 104show dhcpv6-snooping binding 105show dhcpv6-snooping statistics 106

Internet Control Message Protocol (ICMP) 108ICMPmessage types 108When ICMPmessages are sent 108ICMP redirect messages 109When ICMP redirect messages are sent 109ICMP commands 109

ip icmp redirect 109ip icmp throttle 110ip icmp unreachable 111

DNS 112DNS client 112Configuring theDNS client 112DNS client commands 113

ip dns domain-list 113ip dns domain-name 114ip dns host 114ip dns server address 115show ip dns 116

ARP 118ARP commands 119

arp inspection 119arp inspection trust 120arp ipv4 mac 120clear arp 121ip local-proxy-arp 122ipv6 neighbormac 123ip proxy-arp 123show arp 124show arp inspection interface 125show arp inspection statistics 126show arp state 127show arp summary 128show arp timeout 129show arp vrf 130show ipv6 neighbors 131show ipv6 neighbors state 132

Support and Other Resources 134Accessing Aruba Support 134Accessing Updates 135


Contents | 6

Aruba Support Portal 135My Networking 135

Warranty Information 135Regulatory Information 135Documentation Feedback 136

Chapter 1About this document

About this documentThis document describes features of the AOS-CX network operating system. It is intended for administratorsresponsible for installing, configuring, andmanaging Aruba switches on a network.

Applicable productsThis document applies to the following products:

n Aruba 4100i Switch Series (JL817A, JL818A)n Aruba 6000 Switch Series (R8N85A, R8N86A, R8N87A, R8N88A, R8N89A)n Aruba 6100 Switch Series (JL675A, JL676A, JL677A, JL678A, JL679A)

Latest version available onlineUpdates to this document can occur after initial publication. For the latest versions of productdocumentation, see the links provided in Support and Other Resources.

Command syntax notation conventions

Convention Usage

example-text Identifies commands and their options and operands, code examples,filenames, pathnames, and output displayed in a command window. Items thatappear like the example text in the previous column are to be entered exactlyas shown and are required unless enclosed in brackets ([ ]).

example-text In code and screen examples, indicates text entered by a user.

Any of the following:n <example-text>n <example-text>n example-text

n example-text

Identifies a placeholder—such as a parameter or a variable—that youmustsubstitute with an actual value in a command or in code:

n For output formats where italic text cannot be displayed, variables areenclosed in angle brackets (< >). Substitute the text—including theenclosing angle brackets—with an actual value.

n For output formats where italic text can be displayed, variablesmightormight not be enclosed in angle brackets. Substitute the textincluding the enclosing angle brackets, if any, with an actual value.

| Vertical bar. A logical OR that separates multiple items from which you canchoose only one.Any spaces that are on either side of the vertical bar are included forreadability and are not a required part of the command syntax.

{ } Braces. Indicates that at least one of the enclosed items is required.


About this document | 8

Convention Usage

[ ] Brackets. Indicates that the enclosed item or items are optional.

… or...

Ellipsis:n In code and screen examples, a vertical or horizontal ellipsis indicates an

omission of information.n In syntax using brackets and braces, an ellipsis indicates items that can be

repeated. When an item followed by ellipses is enclosed in brackets, zeroor more items can be specified.

About the examplesExamples in this document are representative andmight not match your particular switch or environment.

The slot and port numbers in this document are for illustration only andmight be unavailable on yourswitch.

Understanding the CLI promptsWhen illustrating the prompts in the command line interface (CLI), this document uses the generic termswitch, instead of the host name of the switch. For example:switch>

The CLI prompt indicates the current command context. For example:switch>

Indicates the operator command context.switch#

Indicates themanager command context.switch(CONTEXT-NAME)#

Indicates the configuration context for a feature. For example:switch(config-if)#

Identifies the interface context.

Variable information in CLI promptsIn certain configuration contexts, the prompt may include variable information. For example, when in theVLAN configuration context, a VLAN number appears in the prompt:switch(config-vlan-100)#

When referring to this context, this document uses the syntax:switch(config-vlan-<VLAN-ID>)#

Where <VLAN-ID> is a variable representing the VLAN number.

Identifying switch ports and interfacesPhysical ports on the switch and their corresponding logical software interfaces are identified using theformat:member/slot/port

On the 4100i Switch Series

n member: Always 1. VSF is not supported on this switch.n slot: Always 1. This is not amodular switch, so there are no slots.n port: Physical number of a port on the switch.

For example, the logical interface 1/1/4 in software is associated with physical port 4 on the switch.

On the 6000 and 6100 Switch Series

n member: Always 1. VSF is not supported on this switch.n slot: Always 1. This is not amodular switch, so there are no slots.n port: Physical number of a port on the switch.

For example, the logical interface 1/1/4 in software is associated with physical port 4 on the switch.


Chapter 2IRDP

IRDPICMP Router Discovery Protocol (IRDP), an extension of the ICMP, is independent of any routing protocol. Itallows hosts to discover the IP addresses of neighboring routers that can act as default gateways to reachdevices on other IP networks.

On the switches covered by this guide, IRDP is configured on a VLAN interface.

IRDP operationIRDP uses the following types of ICMPmessages:

n Router advertisement (RA): Sent by a router to advertise IP addresses (including the primary andsecondary IP addresses) and preference.

n Router solicitation (RS): Sent by a host to request the IP addresses of routers on the subnet.

An interfacewith IRDP enabled periodically broadcasts ormulticasts an RAmessage to advertise its IPaddresses. A receiving host adds the IP addresses to its routing table, and selects the IP address with thehighest preference as the default gateway.

When a host attached to the subnet starts up, the host multicasts an RSmessage to request immediateadvertisements. If the host does not receive any advertisements, it retransmits the RS several times. If thehost does not discover the IP addresses of neighboring routers because of network problems, the host canstill discover them fromperiodic RAs.

IRDP allows hosts to discover neighboring routers, but it does not suggest the best route to a destination. Ifa host sends a packet to a router that is not the best next hop, the host will receive an ICMP redirectmessage from the router.

IP address preferenceEvery IP address advertised in RAs has a preference value. A larger preference value represents a higherpreference. The IP address with the highest preference is selected as the default gateway address.

You can specify the preference for IP addresses to be advertised on a router interface.

An address with theminimumpreference value (-2147483648) will not be used as a default gatewayaddress.

Lifetime of an IP addressAn RA contains a lifetime field that specifies the lifetime of advertised IP addresses. If the host does notreceive a new RA for an IP address within the address lifetime, the host removes the route entry.

All the IP addresses advertised by an interface have the same lifetime.

Advertising intervalA router interfacewith IRDP enabled sends out RAs randomly between theminimumandmaximumadvertising intervals. Thismechanism prevents the local link frombeing overloaded by a large number ofRAs sent simultaneously from routers.

As a best practice, shorten the advertising interval on a link that suffers high packet loss rates


IRDP | 11

Destination address of RAAn RA uses either of the following destination IP addresses:

n Broadcast address 255.255.255.255.n Multicast address 224.0.0.1, which identifies all hosts on the local link.

By default, the destination IP address of an RA is themulticast address. If all listening hosts in a local areanetwork support IP multicast, specify 224.0.0.1 as the destination IP address.

Proxy-advertised IP addressesBy default, an interface advertises its primary and secondary IP addresses. You can specify IP addresses ofother gateways for an interface to proxy-advertise.

VRF supportIn IP-based computer networks, virtual routing and forwarding (VRF) is a technology that allowsmultipleinstances of a routing table to co-exist within the same router at the same time. Because the routinginstances are independent, the same or overlapping IP addresses can be used without conflicting with eachother.

IRDP is VRF aware. As the router advertisements and solicit processing occurs on the interface, packet isthrough the interface and corresponding VRF.

VSX synchronizationIRDP supports VSX synchronization. Formore information on using VSX, see the Virtual Switching Extension(VSX) Guide for your switch and software version

Configuring IRDPPrerequisitesA layer 3 interface.

Procedure

1. Enable IRDP on an interfacewith the command ip irdp.2. Set themaximumhold timewith the command ip irdp holdtime.3. Set themaximum router advertisement interval with the command ip irdp maxadvertinterval.4. Set theminimum router advertisement interval with the command ip irdp minadvertinterval.5. Set the IRDP preference level with the command ip irdp preference.6. Review IRDP configuration settings with the command show ip irdp.

ExampleThis example creates the following configuration:

n Enables IRDP on the layer 3 VLAN interface 2 with packet type set to broadcast.n Sets the hold time to 5000 seconds.n Sets the advertisement interval to 30 seconds.n Sets theminimumadvertisement interval to 25 seconds.n Sets the IRDP preference level to 25.

switch(config)# interface vlan 2switch(config-if-vlan)# ip irdp broadcastswitch(config-if-vlan)# ip irdp holdtime 5000switch(config-if-vlan)# ip irdp maxadvertinterval 30switch(config-if-vlan)# ip irdp minadvertinterval 25switch(config-if-vlan)# ip irdp preference 25

IRDP commands

diag-dump irdp basicdiag-dump irdp basic

DescriptionDisplays diagnostic information for IRDP.

Example

switch# diag-dump irdp basic=========================================================================[Start] Feature irdp Time : Thu Jan 7 04:46:25 2021=========================================================================-------------------------------------------------------------------------[Start] Daemon hpe-rdiscd-------------------------------------------------------------------------Interface: vlan2 (state : Down)rdisc ipv4 (enabled: 1, max:600, min:450, hold:1800, pref:0, isBcast:0)No advertisable IPv4 addresses on the interfaceInterface: vlan1 (state : Down)rdisc ipv4 (enabled: 0, max:600, min:450, hold:1800, pref:0, isBcast:0)No advertisable IPv4 addresses on the interface

-------------------------------------------------------------------------[End] Daemon hpe-rdiscd-------------------------------------------------------------------------=========================================================================[End] Feature irdp=========================================================================Diagnostic-dump captured for feature irdp

Command History

Release Modification

10.07 or earlier --

Command Information

Platforms Command context Authority

All platforms Manager (#) Operators or Administrators or local user groupmembers withexecution rights for this command. Operators can execute thiscommand from the operator context (>) only.


IRDP | 13

ip irdpip irdp [broadcast | multicast]no ip irdp

DescriptionEnables IRDP on an interface and specifies the packet type that is used to send advertisements. By default,the packet type is set to multicast. IRDP is only supported on layer 3 interfaces.

The no form of this command disables IRDP on an interface.

Parameter Description

broadcast Advertisements are sent as broadcast packets to IP address255.255.255.255.

multicast Advertisements are sent as multicast packets to the multicastgroup with IP address 24.0.0.1. Default.

ExamplesEnabling IRDP on interface vlan 2 with packet type set to the default value (multicast).

switch(config)# interface vlan 2switch(config-if-vlan)# ip irdp

Enabling IRDP on interface vlan 2 with packet type set to broadcast.

switch(config)# interface vlan 2switch(config-if-vlan)# ip irdp broadcast

Disabling IRDP.

switch(config)# interface vlan 2switch(config-if-vlan)# no ip irdp

Command History


10.07 or earlier --

Command Information


All platforms config-if-vlan Administrators or local user groupmembers with execution rightsfor this command.

ip irdp holdtimeip irdp holdtime <TIME>no ip irdp holdtime <TIME>

DescriptionSpecifies themaximumamount of time the host will consider an advertisement to be valid until a neweradvertisement arrives. When a new advertisement arrives, hold time is reset. Hold timemust be greaterthan or equal to themaximumadvertisement interval. Therefore, if the hold time for an advertisementexpires, the host can reasonably conclude that the router interface that sent the advertisement is no longeravailable. The default hold time is three times themaximumadvertisement interval.

The no form of this command removes the specifiedmaximumamount of time the host will consider anadvertisement to be valid until a newer advertisement arrives and update it to the default value.


<TIME> Specifies the lifetime of router advertisements sent from thisinterface. Range: 4 to 9000 seconds. Default: 1800 seconds.

ExampleSetting the hold time for VLAN interface 2 to 5000 seconds:

switch(config)# interface vlan 2switch(config-if-vlan)# ip irdp holdtime 5000

Removing the the hold time for VLAN interface 2 to 5000 seconds:

switch(config)# interface vlan 2switch(config-if-vlan)# no ip irdp holdtime 5000

Command History


10.07 or earlier --

Command Information



ip irdp maxadvertintervalip irdp maxadvertinterval <TIME>no ip irdp maxadvertinterval <TIME>

DescriptionSpecifies themaximum router advertisement interval.

The no form of this command removes the specifiedmaximum router advertisement interval and reverts tothe default value.


IRDP | 15


<TIME> Specifies the maximum time allowed between the sending ofunsolicited router advertisements. Range: 4 to 1800 seconds.Default: 600 seconds.

ExampleSetting the advertisement interval for VLAN interface 2 to 30 seconds:

switch(config)# interface vlan 2switch(config-if-vlan)# ip irdp maxadvertinterval 30

Removing the advertisement interval for VLAN interface 2 to 30 seconds:

switch(config)# interface vlan 2switch(config-if-vlan)# no ip irdp maxadvertinterval 30

Command History


10.07 or earlier --

Command Information



ip irdp minadvertintervalip irdp minadvertinterval <TIME>no ip irdp minadvertinterval <TIME>

DescriptionSpecifies theminimumamount of time the switch waits between sending router advertisements. Bydefault, this value is automatically set by the switch to be 75% of the value configured formaximum routeradvertisement interval. Use this command to override the automatically configured value.

The no form of this command removes the specifiedminimumamount of time the switch waits betweensending router advertisements and reverts to the default value.


<TIME> Specifies the minimum time allowed between the sending ofunsolicited router advertisements. Range: 3 to 1800 seconds.Default: 450 seconds (75% of the default value for maximumrouter advertisement interval).

Example

Setting theminimumadvertisement interval for VLAN interface 2 to 25 seconds:

switch(config)# interface vlan 2switch(config-if-vlan)# ip irdp minadvertinterval 25

Removing theminimumadvertisement interval for VLAN interface 2 to 25 seconds:

switch(config)# interface vlan 2switch(config-if-vlan)# no ip irdp minadvertinterval 25

Command History


10.07 or earlier --

Command Information



ip irdp preferenceip irdp preference <LEVEL>no ip irdp preference <LEVEL>

DescriptionSpecifies the IRDP preference level. If a host receivesmultiple router advertisement messages fromdifferent routers, the host selects the router that sent themessagewith the highest preference as thedefault gateway.

The no form of this command removes the specified IRDP preference level and reverts to the default value.


<LEVEL> Specifies the IRDP preference level. Range: -2147483648 to2147483647. Default: 0.

ExampleSetting the IRDP preference level for VLAN interface 2 to 25.

switch(config)# interface vlan 2switch(config-if-vlan)# ip irdp preference 25

Removing the IRDP preference level for VLAN interface 2 to 25.


IRDP | 17

switch(config)# interface vlan 2switch(config-if-vlan)# no ip irdp preference 25

Command History


10.07 or earlier --

Command Information



show ip irdpshow ip irdp

DescriptionDisplays IRDP configuration settings.

Example

switch# sh ip irdp

ICMP Router Discovery Protocol

Interface Status Advertising Minimum Maximum Holdtime PreferenceAddress Interval Interval

--------------- -------- ----------- -------- -------- -------- -----------vlan1 Disabled multicast 450 600 1800 0bridge_normal Disabled multicast 450 600 1800 0

Command History


10.07 or earlier --

Command Information


All platforms Manager (#) Administrators or local user groupmembers with execution rightsfor this command.

Chapter 3IPv6 Router Advertisement

IPv6 Router AdvertisementIPV6 RA provides amethod for local IPV6 hosts to automatically configure their own IP address (and othersettings such as a preferred DNS server) based on information advertised by switches/routers operating onthe network.

IPv6 flagsBehavior of IPv6 hosts to IPv6 RAmessages is controlled by themanaged address configuration flag (Mflag), and other stateful configuration flag (O flag).

M flag O flag Description

0 0 Indicates that no information is available via DHCPv6.

0 1 Indicates that other configuration information is available viaDHCPv6. Examples of such information are DNS-relatedinformation or information on other servers within the network.

1 0 Indicates that addresses are available via Dynamic HostConfiguration Protocol (DHCPv6).

1 1 If the M flag is set, the O flag is redundant and can be ignoredbecause DHCPv6 will return all available configurationinformation.

Configuring IPv6 RAProcedure

1. Enable transmission of IPv6 router advertisements with the command no ipv6 nd suppress-ra.2. Optionally, configure IPv6 unicast address prefixes with the command ipv6 nd prefix.3. Optionally, configure support for DNS name resolution with the commands ipv6 nd ra dns server

and ipv6 nd ra dns search-list.4. Formost deployments, the default values for the following features do not need to be changed. If

your deployment requires different settings, change the default values with the indicated command:

IPv6 RA setting Default value Command to change it

Number of neighbor solicitations to besent when performing DAD.

1 ipv6 nd dad attempts

Number of neighbor entries in the NDcache.

131072 ipv6 nd cache-limit

Hop limit to be sent in the RA messages. 64 ipv6 nd hop-limit


IPv6 Router Advertisement | 19

IPv6 RA setting Default value Command to change it

MTU value to be sent in the RAmessages.

1500 bytes ipv6 nd mtu

Neighbor solicitation interval 1000 milliseconds ipv6 nd ns-interval

Lifetime of a default router. 1800 seconds ipv6 nd ra lifetime

Retrieval of an IPv6 address by devices. Disabled ipv6 nd ra managed-config-flag

Maximum interval betweentransmissions of IPv6 RAs.

600 seconds ipv6 nd ra max-interval

Minimum interval betweentransmissions of IPv6 RAs.

200 seconds ipv6 nd ra min-interval

Time that an interface considers adevice to be reachable.

0 milliseconds (nolimit)

ipv6 nd ra reachable-time

Retry period between ND solicitations. 0 (Use locallyconfigured NS-interval)

ipv6 nd ra retrans-timer

Default routing preference for aninterface.

Medium ipv6 nd router-preference

5. Review IPv6 RA configuration settings with the commands show ipv6 nd interface, show ipv6 nd

interface prefix, show ipv6 nd ra dns server, and show ipv6 nd ra dns search-list.


n Enables IPV6 RA on interface interface vlan 2.n Sets the recursive DNS server address to 4001::1with a lifetime of 400 seconds.n Sets theminimum interval between transmissions to 3 seconds.n Sets themaximum interval between transmissions to 13 seconds.n Sets the lifetime of a default router to 1900 seconds.

switch(config)# interface vlan 2switch(config-if)# no ipv6 nd suppress-raswitch(config-if)# ipv6 nd ra dns server 4001::1 lifetime 400switch(config-if)# ipv6 nd ra min-interval 3switch(config-if)# ipv6 nd ra max-interval 13switch(config-if)# ipv6 nd ra lifetime 1900switch(config-if)# endswitch# show ipv6 nd interface vlan 2Interface vlan2 is upAdmin state is upIPv6 address:2006::1/64 [VALID]

IPv6 link-local address: fe80::98f2:b321:368:6dc6/64 [VALID]ICMPv6 active timers:

Last Router-Advertisement sent: 0 SecsNext Router-Advertisement sent in: 13 Secs

Router-Advertisement parameters:Periodic interval: 3 to 13 secsRouter Preference: mediumSend "Managed Address Configuration" flag: falseSend "Other Stateful Configuration" flag: falseSend "Current Hop Limit" field: 64Send "MTU" option value: 1500Send "Router Lifetime" field: 1900Send "Reachable Time" field: 0Send "Retrans Timer" field: 0Suppress RA: falseSuppress MTU in RA: true

ICMPv6 error message parameters:Send redirects: false

ICMPv6 DAD parameters:Current DAD attempt: 1

switch# show ipv6 nd ra dns serverRecursive DNS Server List on: vlan2

Suppress DNS Server List: NoDNS Server 1: 2001::1 lifetime 400

IPv6 RA scenarioIn this scenario, two host computers are auto-configured with IP addresses using IPv6 RA. In addition, theswitch provides the hosts with an address of a recursive DNS server.

Procedure

1. Configure the VLAN interfaces with IPv6 addresses.switch# configswitch(config)# interface vlan 2switch(config-if-vlan)# ipv6 address 2001::1/64switch(config)# interface vlan 3switch(config-if-vlan)# ipv6 address 3001::1/64switch(config)# interface vlan 4switch(config-if-vlan)# ipv6 address 4001::1/64

2. Enable transmission of all IPv6 RAmessages.switch(config-if-vlan)# no ipv6 nd suppress-ra

IPv6 RA commands

ipv6 address <global-unicast-address>ipv6 address <global-unicast-address>no ipv6 address <global-unicast-address>

DescriptionSets a global unicast address on the interface.

The no form of this command removes the global unicast address on the interface.

This command automatically creates an IPv6 link-local address on the interface. However, it does not add theipv6 address link-local command to the running configuration. If you remove the IPv6 address, the link-localaddress is also removed. To maintain the link-local address, youmust manually execute the ipv6 address

link-local command.



ExampleEnabling a global unicast address:

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 address 3731:54:65fe:2::a7

Disabling a global unicast address:

switch(config)# interface vlan 2switch(config-if-vlan)# no ipv6 address 3731:54:65fe:2::a7

Command History


10.07 or earlier --

Command Information


All platforms config-if-vlan Operators or Administrators or local user groupmembers withexecution rights for this command. Operators can execute thiscommand from the operator context (>) only.

ipv6 address autoconfigipv6 address autoconfigno ipv6 address autoconfig

DescriptionEnables the interface to automatically obtain an IPv6 address using router advertisement information andthe EUI-64 identifier.

The no form of this command disables address auto-configuration.

n A maximum of 15 autoconfigured addresses are supported.

n This command automatically creates an IPv6 link-local address on the interface. However, it does not addthe ipv6 address link-local command to the running configuration. If you remove the IPv6 address, thelink-local address is also removed. To maintain the link-local address, youmust manually execute the ipv6address link-local command.

UsageThe IPv6 SLAAC feature lets the router obtain the IPv6 address for the interface it is configured through theSLAACmethod. This feature is not available on the mgmt VRF.

ExampleEnabling unicast autoconfiguring:

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 address autoconfig

Disabling unicast autoconfiguring:

switch(config)# interface vlan 2switch(config-if-vlan)# no ipv6 address autoconfig

Command History


10.07 or earlier --

Command Information



ipv6 address link-localipv6 address link-local [<IPV6-ADDR>/<MASK>]

DescriptionEnables IPv6 on the current interface. If no address is specified, an IPv6 link-local address is auto-generatedfor the interface. If an address is specified, auto-configuration is disabled and the specified address/mask isassigned to the interface.

To disable IPv6 link-local on the interface, remove ipv6 address link-local, ipv6 address <global-

ipv6-address>, and ipv6 address autoconfig from the interface.

This feature is not available on the management VRF.


<IPV6-ADDR> Specifies the IP address in IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F. You can use two colons (::) torepresent consecutive zeros (but only once), remove leadingzeros, and collapse a hextet of four zeros to a single 0. Forexample, this address2222:0000:3333:0000:0000:0000:4444:0055 becomes2222:0:3333::4444:55.

<MASK> Specifies the number of bits in the address mask in CIDR format(x), where x is a decimal number from 0 to 128.

Example



Enabling IPv6 link-local on the interface:

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 address link-local

Command History


10.07 or earlier --

Command Information



ipv6 nd cache-limitipv6 nd cache-limit <CACHELIMIT>no ipv6 nd cache-limit [<CACHELIMIT>]

DescriptionConfigures the limit on the number of neighbor entries in theND cache.

The no form of this command sets the cache limit to the default value.


<CACHELIMIT> Specifies the neighbor cache entries limit. Range: 1-131072.Default: 131072.

ExamplesSetting the cache limit to 20.

switch(config)# ipv6 nd cache-limit 20

Command History


10.07 or earlier --

Command Information


All platforms config Administrators or local user groupmembers with execution rightsfor this command.

ipv6 nd dad attemptsipv6 nd dad attempts <NUM-ATTEMPTS>no ipv6 nd dad attempts [<NUM-ATTEMPTS>]

DescriptionConfigures the number of neighbor solicitations to be sent when performing duplicate address detection(DAD) for a unicast address configured on an interface. If the active gateway is configured with the same IPas an SVI IP, then IPv6 DAD cannot be configured.

The no form of this command sets the number of attempts to the default value.


dad attempts <NUM-ATTEMPTS> Specifies the number of neighbor solicitations to send. Range: 0-15. Default: 1.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd dad attempts 5

Command History


10.07 or earlier --

Command Information



ipv6 nd hop-limitipv6 nd hop-limit <HOPLIMIT>no ipv6 nd hop-limit [<HOPLIMIT>]

DescriptionConfigures the hop limit to be sent in RAs.

The no form of this command resets the hop limit to 0. This reset eliminates the hop limit from the RAs thatoriginate on the interface, so the host determines the hop limit.


hop-limit <HOPLIMIT> Specifies the hop limit. Range: 0-255. Default: 64.

Examples



switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd hop-limit 64

Command History


10.07 or earlier --

Command Information



ipv6 nd mtuipv6 nd mtu <MTU-VALUE>no ipv6 nd mtu [<MTU-VALUE>]

DescriptionConfigures theMTU size to be sent in the RAmessages.

The no form of this command sets hop limit to the default value.


<MTU-VALUE> Specifies the MTU size. Range: 1280-65535 bytes. Default: 1500bytes.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd mtu 1300

Command History


10.07 or earlier --

Command Information



ipv6 nd ns-interval

ipv6 nd ns-interval <TIME>no ipv6 nd ns-interval [<TIME>]

DescriptionConfigures theND time inmilliseconds between DAD neighbor solicitations sent for an unresolveddestination. Increase the ns-interval time if the network is slow or if there are persistent retry failures. If theactive gateway is configured with the same IP as an SVI IP, then IPv6 DAD cannot be configured

The no form of this command sets the ns-interval to the default value.


<TIME> Specifies the neighbor solicitation interval. Range: 1000-3600000milliseconds. Default: 1000 milliseconds.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ns-interval 1200

Command History


10.07 or earlier --

Command Information



ipv6 nd prefixipv6 nd prefix <IPV6-ADDR>/<PREFIX-LEN>

[no-advertise | [valid <LIFETIME-VALUE> preferred<LIFETIME-VALUE>] | no-autoconfig | no-onlink]

no ipv6 nd prefix <IPV6-ADDR>/<PREFIX-LEN> [no-advertise| [valid <LIFETIME-VALUE> preferred <LIFETIME-VALUE>] | no-autoconfig | no-onlink]

ipv6 nd prefix default [no-advertise | [valid <LIFETIME-VALUE>preferred <LIFETIME-VALUE>] | no-autoconfig | no-onlink]}

no ipv6 nd prefix default [no-advertise | [valid <LIFETIME-VALUE>preferred <LIFETIME-VALUE>] | no-autoconfig | no-onlink]}

DescriptionSpecifies prefixes for the routing switch to include in RAs transmitted on the interface. IPv6 hosts use theprefixes in RAs to autoconfigure themselves with global unicast addresses. The autoconfigured address of ahost is composed of the advertised prefix and the interface identifier in the current link-local address of thehost.



By default, advertise, autoconfig, and onlink are set.

The no form of this command removes the configuration on the interface.


<IPV6-ADDR>/<PREFIX-LEN> Specifies the IPv6 prefix to advertise in RA. Format: X:X::X:X/M

default Specifies apply configuration to all on-link prefixes that are notindividually set by the ipv6 ra prefix <IPV6-ADDR>/<PREFIX-LEN> command. It applies the same valid and preferred lifetimes,link state, autoconfiguration state, and advertise options to theadvertisements sent for all on-link prefixes that are notindividually configured with a unique lifetime. This also applies tothe prefixes for any global unicast addresses configured later onthe same interface.Using default once, and then using it again with any newparameter values results in the new values replacing the formervalues in advertisements. If default is used without the no–advertise, no–autoconfig, or no-onlink parameter, theadvertisement setting for the absent parameter is returned to itsdefault setting.

no-advertise Specifies do not advertise prefix in RA.

valid <LIFETIME-VALUE> Specifies the total time, in seconds, the prefix remains availablebefore becoming unusable. After preferred-lifetime expiration,any autoconfigured address is deprecated and used only fortransactions only before preferred-lifetime expires. If the validlifetime expires, the address becomes invalid.You can enter a value in seconds or enter valid infinite whichsets infinite lifetime. Default: 2,592,000 seconds which is 30 days.Range: 0–4294967294 seconds.

preferred <LIFETIME-VALUE> Specifies the span of time during which the address can be freelyused as a source and destination for traffic. This setting must beless than or equal to the corresponding valid–lifetime setting.You can enter a value in seconds or enter preferred infinitewhich sets infinite lifetime. Default: 604,800 seconds which isseven days. Range: 0–4294967294 seconds.

no-autoconfig Specifies do not use prefix for autoconfiguration.

no-onlink Specifies do not use prefix for onlink determination.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd prefix 4001::1/64 valid 30 preferred 10 no-autoconfig no-onlink

Command History


10.07 or earlier --

Command Information



ipv6 nd ra dns search-listipv6 nd ra dns search-list <DOMAIN-NAME> [lifetime <TIME>]no ipv6 nd ra dns search-list <DOMAIN-NAME>

DescriptionConfigures theDNS Search List (DNSSL) to include in Router Advertisements (RAs) transmitted on theinterface.

The no form of this command removes theDNS Search List from the RAs transmitted on the interface.


<DOMAIN-NAME> Specifies the domain names for DNS queries.

lifetime <TIME> Specifies lifetime in seconds. Range: 4-4294967295 seconds.Default: 1800 seconds.

Usage

n DNSSL contains the domain names of DNS suffixes or IPv6 hosts to append to short, unqualified domainnames for DNS queries.

n Multiple DNS domain names can be added to theDNSSL by using the command repeatedly.n Amaximumof eight server addresses are allowed.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra dns search-list test.com lifetime 500

Command History


10.07 or earlier --

Command Information



ipv6 nd ra dns serveripv6 nd ra dns server <IPV6-ADDR> [lifetime <TIME>]no ipv6 nd ra dns server <IPV6-ADDR>



DescriptionConfigures the IPv6 address of a preferred Recursive DNS Server (RDNSS) to be included in RouterAdvertisements (RAs) transmitted on the interface.

The no form of this command removes the configured DNS server from the RAs transmitted on theinterface.


<IPV6-ADDR> Specifies the RDNSS address in IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F. You can use two colons (::) torepresent consecutive zeros (but only once), remove leadingzeros, and collapse a hextet of four zeros to a single 0. Forexample, this address2222:0000:3333:0000:0000:0000:4444:0055 becomes2222:0:3333::4444:55.

lifetime <TIME> Specifies IPv6 DNS server lifetime in seconds. Range: 4-4294967295 seconds. Default: 1800 seconds.

Usage

n Including RDNSS information in RAs provides DNS server configuration for connected IPv6 hosts withoutrequiring DHCPv6.

n Multiple servers can be configured on the interface by using the command repeatedly.n Amaximumof eight server addresses are allowed.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra dns server 2001::1 lifetime 400

Command History


10.07 or earlier --

Command Information



ipv6 nd ra lifetimeipv6 nd ra lifetime <TIME>no ipv6 nd ra lifetime [<TIME>]

Description

Configures the lifetime, in seconds, for the routing switch to be used as a default router by hosts on thecurrent interface.

The no form of this command sets lifetime to the default of 1800 seconds.


<TIME> Specifies lifetime in seconds of a default router. A setting of 0 fordefault router lifetime in an RA indicates that the routing switch isnot a default router on the interface. Range: 0-9000 seconds.Default: 1800 seconds.

Usage

n A given host on an interface refreshes the default router lifetime for a specific router each time the hostreceives an RA from that router.

n A specific router ceases to be a default router candidate for a given host if the default router lifetimeexpires before the host is updated with a new RA from the router.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra lifetime 1200

Command History


10.07 or earlier --

Command Information



ipv6 nd ra managed-config-flagipv6 nd ra managed-config-flagno ipv6 nd ra managed-config-flag

DescriptionControls theM flag setting in RAs the router transmits on the current interface. Enable theM flag to indicatethat hosts can obtain IP address through DHCPv6. TheM flag is disabled by default.

The no form of this command turns off (disables) theM flag.

Usage

n Enabling theM flag directs hosts to acquire their IPv6 addressing for the current interface from aDHCPv6 server.



n When theM-bit is enabled, receiving hosts ignore theO flag setting, which is configured using thecommand ipv6 nd ra other-config-flag.

n When theM-bit is disabled (the default), receiving hosts expect to receive their IPv6 addresses fromRA.

M flag O flag Description

0 0 Indicates that no information is available viaDHCPv6.

0 1 Indicates that other configurationinformation is available via DHCPv6.Examples of such information are DNS-related information or information on otherservers within the network.

1 0 Indicates that addresses are available viaDynamic Host Configuration Protocol(DHCPv6).

1 1 If the M flag is set, the O flag is redundantand can be ignored because DHCPv6 willreturn all available configurationinformation.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra managed-config-flag

Command History


10.07 or earlier --

Command Information



ipv6 nd ra max-intervalipv6 nd ra max-interval <TIME>no ipv6 nd ra max-interval [<TIME>]

DescriptionConfigures themaximum interval between transmissions of IPv6 RAs on the interface. The interval betweenRA transmissions on an interface is a random value that changes every time an RA is sent. The interval iscalculated to be a value between the current max-interval andmin-interval settings.

The no form of this command returns the setting to its default, provided the default value is less than thedefault lifetime value.


<TIME> Specifies the maximum advertisement time in seconds. Range: 4-1800. Default: 600 seconds.

Usage

n This value has one setting per interface. The setting does not apply to RAs sent in response to a routersolicitation received from another device.

n Attempting to set max-interval to a value that is not sufficiently larger than the current min-interval alsoresults in an errormessage.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra max-interval 30

Command History


10.07 or earlier --

Command Information



ipv6 nd ra min-intervalipv6 nd ra min-interval <TIME>no ipv6 nd ra min-interval [<TIME>]

DescriptionConfigures theminimum interval between transmissions of IPv6 RAs on the interface. The interval betweenRA transmissions on an interface is a random value that changes every time an RA is sent. The interval iscalculated to be a value between the current max-interval andmin-interval settings.

The no form of this command returns the setting to its default, provided the default value is less than thecurrent max-interval setting.


<TIME> Specifies a minimum advertisement time in seconds. Range: 3-1350. Default: 200 seconds.

Usage

n This value has one setting per interface and does not apply to RAs sent in response to a router solicitationreceived from another device.



n Themin-interval must be less than themax-interval. Attempting to set min-interval to a higher valueresults in an errormessage.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra min-interval 25

Command History


10.07 or earlier --

Command Information



ipv6 nd ra other-config-flagipv6 nd ra other-config-flagno ipv6 nd ra other-config-flag

DescriptionControls theO-bit in RAs the router transmits on the current interface; but is ignored unless theM-bit isdisabled in RAs. Configure to set theO-bit in RAmessages for host to obtain network parameters throughDHCPv6. The other-config-flag is disabled by default.

Formore information on configuring theM-bit, see ipv6 nd ra managed-config-flag.

The no form of this command turns off (disables) the setting for this command in RAs.

UsageEnabling theO-bit while theM-bit is disabled directs hosts on the interface to acquire their otherconfiguration information fromDHCPv6. Examples of such information are DNS-related information orinformation on other servers within the network.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra other-config-flag

Command History


10.07 or earlier --

Command Information



ipv6 nd ra reachable-timeipv6 nd ra reachable-time <TIME>no ipv6 nd ra reachable-time [<TIME>]

DescriptionSets the amount of time that the interface considers a device to be reachable after receiving a reachabilityconfirmation from the device.

The no form of this command sets the reachable time to the default value of 0. (no limit).


<TIME> Specifies the reachable time in milliseconds. Range: 1000-3600000. Default: 0 (no limit).

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra reachable-time 2000

Command History


10.07 or earlier --

Command Information



ipv6 nd ra retrans-timeripv6 nd ra retrans-timer <TIME>no ipv6 nd ra retrans-timer [<TIME>]

DescriptionConfigures the period (retransmit timer) between ND solicitations sent by a host for an unresolveddestination, or between DAD neighbor solicitation requests. By default, hosts on the interface use their ownlocally configured NS-interval settings instead of using the value received in the RAs.

Increase this timer when neighbor solicitation retries or failures are occur, or in a "slow" (WAN) network.

The no form of this command sets the value to the default of 0.




<TIME> Specifies the retransmit timer value in milliseconds. Range: 0 -4294967295 milliseconds. Default: 0 (Use locally configured NS-interval).

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra retrans-timer 400

Command History


10.07 or earlier --

Command Information



ipv6 nd router-preferenceipv6 nd router-preference {high | medium | low}no ipv6 nd router-preference [high | medium | low]

DescriptionSpecifies the value that is set in theDefault Router Preference (DRP) field of Router Advertisements (RAs)that the switch sends from an interface. An interfacewith a DRP value of high will be preferred by otherdevices on the network over interfaces with an RA value of mediumor low.

The no form of this command set the value to the default of medium.


high Sets DRP to high.

medium Sets DRP to medium. Default.

low Sets DRP to low.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd router-preference high

Command History


10.07 or earlier --

Command Information



ipv6 nd suppress-raipv6 nd suppress-ra [<SUPPRESS-OPTION>]no ipv6 nd ra supress-ra [<SUPPRESS-OPTION>]

DescriptionConfigures suppression of IPv6 Router Advertisement transmissions on an interface.

The no form of this command restores transmission of IPv6 Router Advertisement and options.


suppress-ra [<SUPPRESS-OPTION>] Specifies suppressing RA transmissions. Entering suppress-rawithout any options, suppresses all RA messages (default). Or youcan enter one of the following options.

dnssl Specifies suppressing DNSSL options in RA messages.

mtu Specifies suppressing MTU options in RA messages.

rdnss Specifies suppressing RDNSS options in RA messages.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd suppress-ra mtu dnssl rdnssswitch(config-if-vlan)# no ipv6 nd suppress-ra mtu dnssl rdnss

Command History


10.07 or earlier --

Command Information





show ipv6 nd global trafficshow ipv6 nd global traffic

DescriptionDisplays IPV6 Neighbor Discovery traffic details on a device.

Examples

switch# show ipv6 nd global trafficICMPv6 packet Statistics (sent/received)Total Messages : 18/0Error Messages : 0/0Destination Unreachables : 0/0Time Exceeded : 0/0Parameter Problems : 0/0Echo Request : 0/0Echo Replies : 0/0Redirects : 0/0Packet Too Big : 0/0Router Advertisements : 4/0Router Solicitations : 0/0Neighbor Advertisements : 0/0Neighbor Solicitations : 3/0Duplicate router RA received : 0/0

ICMPv6 MLD Statistics (sent/received)V1 Queries : 0/0V2 Queries : 0/0V1 Reports : 0/0V2 Reports : 11/0V1 Leaves : 0/0

Command History


10.07 or earlier --

Command Information


All platforms Operator (>) or Manager(#)

Operators or Administrators or local user groupmembers withexecution rights for this command. Operators can execute thiscommand from the operator context (>) only.

show ipv6 nd interfaceshow ipv6 nd interface [<IF-NAME> | all-vrfs | vrf <VRF-NAME>]

DescriptionDisplays neighbor discovery information for an interface. If no options are specified, displays informationfor the default VRF.


<IF-NAME> Displays information about the specified IPv6 enabled interface.

all-vrfs Displays information about interfaces in all VRFs.

vrf <VRF-NAME> Displays information about interfaces in a particular VRF. Or, if<VRF-NAME> is not specified, information for the default VRF isdisplayed.

ExamplesShowing information for all VRFs:

switch# show ipv6 nd interface all-vrfs

List of IPv6 Interfaces for VRF defaultInterface vlan2 is upAdmin state is upIPv6 address:IPv6 link-local address: fe80::7272:cfff:fee7:a8b9/64 [VALID]ICMPv6 active timers:

Last Router-Advertisement sent:Next Router-Advertisement sent in:

Router-Advertisement parameters:Periodic interval: 200 to 600 secsRouter Preference: mediumSend "Managed Address Configuration" flag: falseSend "Other Stateful Configuration" flag: falseSend "Current Hop Limit" field: 64Send "MTU" option value: 1500Send "Router Lifetime" field: 1800Send "Reachable Time" field: 0Send "Retrans Timer" field: 0Suppress RA: trueSuppress MTU in RA: true



List of IPv6 Interfaces for VRF redInterface vlan3 is upAdmin state is upIPv6 address:2001::1/64 [VALID]

IPv6 link-local address: fe80::7272:cfff:fee7:a8b9/64 [VALID]ICMPv6 active timers:


Router-Advertisement parameters:Periodic interval: 200 to 600 secsRouter Preference: mediumSend "Managed Address Configuration" flag: falseSend "Other Stateful Configuration" flag: falseSend "Current Hop Limit" field: 64Send "MTU" option value: 1500Send "Router Lifetime" field: 1800Send "Reachable Time" field: 0Send "Retrans Timer" field: 0



Suppress RA: trueSuppress MTU in RA: true



Showing information for interface vlan 2:

switch# show ipv6 nd interface vlan 2Interface vlan2 is upAdmin state is upIPv6 address:IPv6 link-local address: fe80::7272:cfff:fee7:a8b9/64 [VALID]ICMPv6 active timers:


Router-Advertisement parameters:Periodic interval: 200 to 600 secsRouter Preference: highSend "Managed Address Configuration" flag: falseSend "Other Stateful Configuration" flag: falseSend "Current Hop Limit" field: 64Send "MTU" option value: 1500Send "Router Lifetime" field: 1800Send "Reachable Time" field: 0Send "Retrans Timer" field: 0Suppress RA: trueSuppress MTU in RA: true



Showing information for the default VRF:

switch# show ipv6 nd interface

List of IPv6 Interfaces for VRF defaultInterface vlan2 is upAdmin state is upIPv6 address:

2001::1/64 [VALID]IPv6 link-local address: fe80::7272:cfff:fee7:a8b9/64 [VALID]ICMPv6 active timers:

Last Router-Advertisement sent: 6 SecsNext Router-Advertisement sent in: 7 Secs

Router-Advertisement parameters:Periodic interval: 3 to 13 secsRouter Preference: mediumSend "Managed Address Configuration" flag: falseSend "Other Stateful Configuration" flag: falseSend "Current Hop Limit" field: 64Send "MTU" option value: 1500Send "Router Lifetime" field: 1900Send "Reachable Time" field: 0Send "Retrans Timer" field: 0Suppress RA: trueSuppress MTU in RA: true



Command History


10.07 or earlier --

Command Information




show ipv6 nd interface prefixshow ipv6 nd interface prefix [all-vrfs | vrf <VRF-NAME>]

DescriptionShows IPv6 prefix information for all VRFs or a specific VRF. If no options are specified, shows informationfor the default VRF.


all-vrfs Shows prefix information for all VRFs.

vrf <VRF-NAME> Name of a VRF.

ExamplesShowing prefix information for the default VRF:

switch# show ipv6 nd interface prefix

List of IPv6 Interfaces for VRF defaultList of IPv6 Prefix advertised on vlan2

Prefix : 4545::/65Enabled : YesValidlife time : 2592000Preferred lifetime : 604800On-link : YesAutonomous : Yes

Showing information for VRF red:

switch# show ipv6 nd interface prefix vrf red



List of IPv6 Interfaces for VRF redList of IPv6 Prefix advertised on vlan3

Prefix : 2001::/64Enabled : YesValidlife time : 2592000Preferred lifetime : 604800On-link : YesAutonomous : Yes

Command History


10.07 or earlier --

Command Information




show ipv6 nd ra dns search-listshow ipv6 nd ra dns search-list

DescriptionDisplays domain name information on all interfaces.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra dns search-list test.comswitch# show ipv6 nd ra dns search-listRecursive DNS Search List on: 1

Suppress DNS Search List: YesDNS Search 1: test.com lifetime 1800

Command History


10.07 or earlier --

Command Information




show ipv6 nd ra dns servershow ipv6 nd ra dns server

DescriptionDisplays DNS server information on all interfaces.

Examples

switch(config)# interface vlan 2switch(config-if-vlan)# ipv6 nd ra dns server 2001::1switch# show ipv6 nd ra dns serverRecursive DNS Server List on: 1

Suppress DNS Server List: YesDNS Server 1: 2001::1 lifetime 1800

Command History


10.07 or earlier --

Command Information





Chapter 4sFlow

sFlowsFlow is a technology formonitoring traffic in switched or routed networks. The sFlowmonitoring system iscomprised of:

n An sFlow Agent that runs on a network device, such as a switch. The agent uses sampling techniques tocapture information about the data traffic flowing through the device and forwards this information toan sFlow collector.

n An sFlow Collector that receivesmonitoring information from sFlow agents. The collector stores thisinformation so that a network administrator can analyze it to understand network data flow patterns.One sFlow collector can recieve the data frommany sFlow agents.

The sFlow UDP datagrams sent to a collector are not encrypted, therefore any sensitive information contained inan sFlow sample is exposed.

sFlow agentThe sFlow agent on the switch provides ingress sampling of all forwarded layer 2 and layer 3 traffic on LAGand Ethernet ports. High-availability is supported (packet sampling continues to work after switch-over).

The sFlow agent can communicatewith up to three sFlow collectors at the same time. The agentcommunicates with collectors only on the default VRF.

Although you can configure very high sampling rates, the switchmay drop samples if it cannot handle therate of sampled packets. High sampling ratesmay also cause high CPU usage resulting in control planeperformance issues.

A single sFlow datagram sent to a collector containsmultiple flow and counter samples. The total number ofsamples an sFlow datagram can contain varies depending on the settings for header size andmaximumdatagram size.

Default settings

n sFlow is disabled on all interfaces.n Collector port: UDP port 6343.n Sampling rate: 4096.n Polling interval: 30 seconds.n Header size: 128 bytes.n Max datagram size: 1400 bytes.

Supported features

n Global sampling raten Interface counters pollingn Agent IP configuration for IPv4 and IPv6n Header size configuration


sFlow | 44

n Max datagram size configurationn Ingress sampling for all forwarded traffic (L2, L3)n Enable/Disable sFlow per interfacen Support for three remote collectorsn An out-of-band collector can be defined on themanagement VRFn A collector can be defined on the non-default VRFn Sampling on Ethernet and LAG interfacesn High availability support (sampling continues to work after switch-over)n Source IP support (setting source IP for sFlow datagrams sent to a remote collector)

Limitations

n No sampling of egress trafficn Sampling rate cannot be set per interface (global only)n sFlow is not configurable via SNMP

Configuring the sFlow agentProcedure

1. Configure one ormore sFlow collectors with the command sflow collector. This determines wherethe sFlow agent sends sFlow information.

2. Enable the sFlow agent on all interfaces, or on a specific interface, with the command sflow.3. Define the address of the sFlow agent with the command sflow agent-ip.4. By default, the source IP address for sFlow datagrams is set to the IP address of the outgoing switch

interface on which the sFlow client is communicating with a collector. Since the switch can havemultiple routing interfaces, datagrams can potentially be sent on different paths at different times,resulting in different source IP addresses for the same client. To resolve this issue, define a singlesource IP address. For details, see Single source IP address in the Fundamentals Guide.

5. Formost deployments, the default values for the following settings do not need to be changed. Ifyour deployment requires different settings, change the default values with the indicatedcommands:

sFlow setting Default value Command to change it

Rate at which packets are sampled. 1 in every 4096 packets sflow sampling

Rate at which the switch sends data toan sFlow collector.

30 seconds sflow polling

Size of the sFlow header. 128 bytes sflow header-size

Maximum size of an sFlow datagram. 1400 bytes sflow max-datagram-size

6. Review sFlow configuration settings with the command show sflow.


n Configures an sFlow collector with the IP address 10.10.20.209 .n Enables the sFlow agent on all interfaces.n Defines the sFlow agent IP address to be 10.10.1.5.

switch(config)# sflow collector 10.10.20.209switch(config)# sflowswitch(config)# sflow agent-ip 10.0.0.1

sFlow scenarioIn this scenario, two hosts send sFlow traffic through a switch to an sFlow collector.

Procedure

1. Enable sFlow globally.switch# configswitch(config)# sflow

2. Set the sFlow agent IP address to 10.10.12.1.switch(config)# sflow agent-ip 10.10.12.1

3. Set the sFlow collector IP address to 10.10.12.2.switch(config)# sflow collector 18.2.2.2

4. Configure sFLow sampling rate and polling interval.switch(config)# sflow sampling 5000switch(config)# sflow polling 20

5. Configure interface vlan 2 with IP address 10.10.10.1/24.switch(config)# interface vlan 2switch(config-if-vlan)# no shutdownswitch(config-if-vlan)# ip address 10.10.10.1/24switch(config)# quit



8. Verify sFlow configuration

switch# show sflow

sFlow Global Configuration

-----------------------------------------

sFlow enabled

Collector IP/Port/Vrf 10.10.10.2/6343/default

Agent Address 10.0.0.1


sFlow | 46

Sampling Rate 1024

Polling Interval 30

Header Size 128

Max Datagram Size 1400

sFlow Status

-----------------------------------------

Running - Yes

sFlow enabled on Interfaces:

-----------------------------------------

lag100

sFlow Statistics

-----------------------------------------

Number of Samples 200

sFlow scenario 2In this scenario, two hosts connected to different switches send sFlow traffic to a collector. A LAG is used toconnect the two switches.

Procedure

1. Configure switch 1.a. Enable sFlow globally.

switch# configswitch(config)# sflow

b. Set the sFlow agent IP address to 10.10.12.1.switch(config)# sflow agent-ip 10.10.12.1

c. Set the sFlow collector IP address to 10.10.12.2.switch(config)# sflow collector 10.10.12.2

d. Configure sFLow sampling rate and polling interval.switch(config)# sflow sampling 5000switch(config)# sflow polling 10

e. Create VLAN 8.switch(config)# vlan 8switch(config-vlan-8)# no shutdownswitch(config)# exit

f. Define LAG 100 and assign VLAN vlan 8 to it.switch(config)# interface lag 100switch(config-lag-if)# no shutdownswitch(config-lag-if)# vlan access 8

switch(config-lag-if)# lacp mode active

g. Configure interface vlan 5.switch(config)# interface vlan 5switch(config-if-vlan)# no shutdownswitch(config-lag-if)# no routingswitch(config-if-vlan)# vlan access 8

h. Configure VLANs 4 and 5 asmembers of LAG 100.switch# (config)#interface vlan 4switch(config-if-vlan)# no shutdownswitch(config-if-vlan)# lag 100switch(config-if-vlan)# exitswitch(config)# interface vlan 5switch(config-if-vlan)# no shutdownswitch(config-if-vlan)# lag 100switch(config-if-vlan)# exit

i. Configure interface vlan 5 with IP address 10.10.12.1/24.switch# (config)#interface vlan 5switch(config-if-vlan)# no shutdownswitch(config-if-vlan)# ip address 10.10.12.1/24switch(config-if-vlan)# quit

j. Verify sFlow configuration.

switch# show sflowsFlow Global Configuration-----------------------------------------sFlow enabledCollector IP/Port/Vrf 10.10.10.2/6343/defaultAgent Address 10.0.0.1Sampling Rate 1024Polling Interval 30Header Size 128Max Datagram Size 1400

sFlow Status-----------------------------------------Running - Yes

sFlow enabled on Interfaces:-----------------------------------------lag100

sFlow Statistics-----------------------------------------Number of Samples 200

2. Configure switch 2.a. Create VLAN 8.

switch(config)# vlan 8switch(config-vlan-8)# no shutdownswitch(config)# exit

b. Define LAG 100 and assign VLAN vlan 8 to it.switch(config)# interface lag 100switch(config-lag-if)# no shutdownswitch(config-lag-if)# vlan access 8switch(config-lag-if)# lacp mode active

c. Configure interface 1/1/1.switch(config)# interface 1/1/1


sFlow | 48

switch(config-if)# no shutdownswitch(config-if)# vlan access 8

d. Configure interface 1/1/2 and 1/1/3 asmembers of LAG 100.switch# (config)#interface 1/1/2switch(config-if)# no shutdownswitch(config-if)# lag 100switch(config-if)# exitswitch(config)-if# interface 1/1/3switch(config-if)# no shutdownswitch(config-if)# lag 100switch(config-if)# exit

sFlow agent commands

clear sflow statisticsclear sflow statistics {global | interface <INTERFACE-NAME>}

DescriptionThis command clears the sFlow sample statistics counter to 0 either globally or for a specific interface.


global Specifies all interfaces on the switch.

interface <INTERFACE-NAME> Specifies the name of an interface on the switch.

ExamplesClearing the global sFlow sample statistics counter to 0 globally:

switch(config)# clear sflow statistics global

Clearing the global sFlow sample statistics counter to 0 for interface 1/1/1:

switch(config)# clear sflow statistics interface 1/1/1

Command History


10.07 or earlier --

Command Information



sflow

sflowno sflow

DescriptionEnables the sFlow agent.

n In the config context, this command enables the sFlow agent globally on all interfaces.n In an config-if context, this command enables the sFlow agent on a specific interface. sFlow cannot be

enabled on amember of a LAG, only on the LAG.

The sFlow agent is disabled by default.

The no form of this command disables the sFlow agent and deletes all sFlow configuration settings, eitherglobally, or for a specific interface.

ExamplesEnabling sFlow globally on all interfaces:

switch(config)# sflow

Disabling sFlow globally on all interfaces:

switch(config)# no sflow

Enabling sFlow on interface 1/1/1:

switch(config)# interface 1/1/1switch(config-if)# sflow

Disabling sFlow on interface 1/1/1:

switch(config)# interface 1/1/1switch(config-if)# no sflow

Enabling sFlow on interface lag100:

switch(config)# interface lag100switch(config-if)# sflow

Disabling sFlow on interface lag100:

switch(config)# interface lag100switch(config-if)# no sflow

Command History


10.07 or earlier --


sFlow | 50

Command Information


All platforms configconfig-if

Administrators or local user groupmembers with execution rightsfor this command.

sflow agent-ipsflow agent-ip <IP-ADDR>no sflow agent-ip [<IP-ADDR>]

DescriptionDefines the IP address of the sFlow agent to use in sFlow datagrams. This addressmust be defined forsFlow to function. HPE recommends that the address:

n can uniquely identify the switchn is reachable by the sFlow collectorn does not changewith time

The no form of this command deletes the IP address of the sFlow agent. This causes sFlow to stop workingand no datagramswill be sent to the sFlow collector.


<IP-ADDR> Specifies an IP address in IPv4 format (x.x.x.x), where x is adecimal number from 0 to 255, or IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F. The agent address is used toidentify the switch in all sFlow datagrams sent to sFlow collectors.It is usually set to an IP address on the switch that is reachablefrom an sFlow collector.

ExamplesSetting the agent address to 10.10.10.100:

switch(config)# sflow agent-ip 10.0.0.100

Setting the agent address to 2001:0db8:85a3:0000:0000:8a2e:0370:7334:

switch(config)# sflow agent-ip 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Removing the address configuration from the switch, which results in sFlow being disabled:

switch(config)# no sflow agent-ip

Command History


10.07 or earlier --

Command Information



sflow collectorsflow collector <IP-ADDR> [port <PORT>] [vrf <VRF>]no sflow collector <IP-ADDR> [port <PORT>] [vrf <VRF>]

DescriptionDefines a collector to which the sFlow agent sends data. Up to three collectors can be defined. At least onecollector should be defined, and it must be reachable from the switch for sFlow to work.


collector <IP-ADDR> Specifies the IP address of a collector in IPv4 format (x.x.x.x),where x is a decimal number from 0 to 255, or IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F.

port <PORT> Specifies the UDP port on which to send information to the sFlowcollector. Range: 0 to 65536. Default: 6343.

vrf <VRF> Specifies the VRF on which to send information to the sFlowcollector. The VRF must be defined on the switch. If no VRF isspecified, the default VRF (default) is used.

ExampleDefining a collector with IP address 10.10.10.100 on UDP port 6400:

switch(config)# sflow collector 10.0.0.1 port 6400

Command History


10.07 or earlier --

Command Information




sFlow | 52

sflow disablesflow disable

DescriptionDisables the sFlow agent, but retains any existing sFlow configuration settings. The settings become active ifthe sFlow agent is re-enabled.

ExampleDisabling sFlow support:

switch(config)# sflow disable

Command History


10.07 or earlier --

Command Information



sflow header-sizesflow header-size <SIZE>no sflow header-size [<SIZE>]

DescriptionSets the sFlow header size in bytes.

The no form of this command sets the header size to the default value of 128.


header-size <SIZE> Specifies the sFlow header size in bytes. Range: 64 to 256. Default:128.

ExamplesSetting the header size to 64 bytes:

switch(config)# sflow header-size 64

Setting the header size to the default value of 128 bytes:

switch(config)# no sflow header-size

Command History


10.07 or earlier --

Command Information



sflow max-datagram-sizesflow max-datagram-size <SIZE>no sflow max-datagram-size [<SIZE>]

DescriptionSets themaximumnumber of bytes that are sent in one sFlow datagram.

The no form of this command setsmaximumnumber of bytes to the default value of 1400.


max-datagram-size <SIZE> Specifies the maximum datagram size in bytes. Range: 1 to 9000.Default: 1400.

ExamplesSetting the datagram size to 1000 bytes:

switch(config)# sflow max-datagram-size 1000

Setting the header size to the default value of 1400 bytes:

switch(config)# no sflow max-datagram-size

Command History


10.07 or earlier --

Command Information




sFlow | 54

sflow pollingsflow polling <INTERVAL>no sflow polling [<INTERVAL>]

DescriptionDefines the global polling interval for sFlow in seconds.

The no form of this command sets the polling interval to the default value of 30 seconds.


<INTERVAL> Specifies the polling interval in seconds. Range: 10 to 3600.Default: 30.

ExamplesSetting the polling interval to 10:

switch(config)# sflow polling 10

Setting the polling interval to the default value.

switch(config)# no sflow polling

Command History


10.07 or earlier --

Command Information



sflow samplingsflow sampling <RATE>no sflow sampling [<RATE>]

DescriptionDefines the global sampling rate for sFlow in number of packets. The default sampling rate is 4096, whichmeans that one in every 4096 packets is sampled. Awarningmessage is displayed when the sampling rate isset to less than 4096 and proceeds only after user confirmation.

The no form of this command sets the sampling rate to the default value of 4096.


sampling <RATE> Specifies the sampling rate. Range: 1 to 1000000000. Default:4096.

ExamplesSetting the sampling rate to 5000:

switch(config)# sflow sampling 5000

Setting the sampling rate to the default:

switch(config)# no sflow sampling

Setting the sampling rate to 1000:

switch(config)# sflow sampling 1000Setting the sFlow sampling rate lower than 4096 is not recommended and mightaffect system performance.Do you want to continue [y/n]? yswitch(config)#

Command History


10.07 or earlier --

Command Information



show sflowshow sflow [interface <INTERFACE-NAME>]

DescriptionShows sFlow configuration settings and statistics for all interfaces, or for a specific interface


interface <INTERFACE-NAME> Specifies the name of an interface on the switch.

ExamplesShowing sFlow information for all interfaces:


sFlow | 56

switch# show sflowsFlow Global Configuration-----------------------------------------sFlow enabledCollector IP/Port/Vrf 10.10.10.2/6343/defaultAgent Address 10.0.0.1Sampling Rate 1024Polling Interval 30Header Size 128Max Datagram Size 1400

sFlow Status-----------------------------------------Running - Yes

sFlow enabled on Interfaces:-----------------------------------------lag100

sFlow Statistics-----------------------------------------Number of Samples 200

Showing sFlow information for interface 1/1/1:

switch# show sflow interface 1/1/1sFlow configuration - Interface 1/1/1-----------------------------------------sFlow enabledSampling Rate 1024Number of Samples 30sFlow Sampling Status success

Command History


10.07 or earlier --

Command Information



Chapter 5DHCP client

DHCP clientTheDynamic Host Configuration Protocol (DHCP) enables the automatic assignment of IP addresses andother configuration settings to network devices.

DHCP clientBy default, the switch operates as a DHCP client on VLAN 1 allowing it to automatically obtain an IP addressfrom aDHCP server on the network to which it is connected.

DHCP client commands

ip dhcpip dhcpno ip dhcp

DescriptionEnables theDHCP client on any interface VLAN to automatically obtain an IP address from aDHCP server onthe network. By default, the DHCP client is enabled on VLAN 1.

The no form of the command disables DHCPmode and is supported only on interface VLANs.

ExamplesEnabling theDHCP client on the interface vlan 1:

switch(config)# interface vlan 1switch(config-if-vlan)# ip dhcpswitch(config-if-vlan)# no shutdown

Disabling theDHCP client on the interface vlan 1:

switch(config)# interface vlan 1switch(config-if-vlan)# no ip dhcp

If the interface is not enabled, you can enable it by entering the no shutdown command.

ip dhcp is supported only on one vlan at a time.

Command History


10.07 or earlier --

Command Information


DHCP client | 58



show ip dhcpshow ip dhcp

DescriptionDisplays DHCP IPv4 information on the ports.

ExamplesDisplaying theDHCP IPv4 information on the ports:

switch# show ip dhcp

INTERFACE-NAME ADDRESS DEFAULT_GATEWAY DOMAIN_NAME VRF DNS-SERVERS---------------------------------------------------------------------------------------------------------vlan1 10.254.239.10/27 domain.com default 50.0.0.2, 50.0.0.3,50.0.0.4

Command History


10.09 or earlier Command introduced.

Command Information




DHCP relay agent

DHCP relay is supported by the Aruba 4100i Switch Series but not the Aruba 6000 or 6100 Switch Series.

The function of theDHCP relay agent is to forward theDHCPmessages to other subnets so that theDHCPserver does not have to be on the same subnet as theDHCP clients. TheDHCP relay agent transfers DHCPmessages from theDHCP clients located on a subnet without a DHCP server, to other subnets. It also relaysanswers fromDHCP servers to DHCP clients.

Supported interfacesTheDHCP relay agent is supported on layer 3 interfaces, layer 3 VLAN interfaces, and LAG interfaces. DHCPrelay is not supported on themanagement interface.

VRF support

TheDHCP relay agent is VRF aware and behaves as follows when VRFs are defined on the switch:

n DHCP client requests received on an interface are forwarded to the configured servers via the VRF thatthe interface is part of.

n DHCP server responses received on an interface are forwarded to the client that is reachable via the VRFthat the interface is part of.

DHCP server interoperationBoth DHCP relay and DHCP server can be configured on the same VRF.

DHCPv4 relay agent


Hop count in DHCP requestsWhen aDHCP client broadcasts request, the DHCP relay agent in the switch receives the packets andforwards them to theDHCP server as unicast requests. During this process, the DHCP relay agentincrements the hop count before forwarding DHCP packets to the server. TheDHCP server, in turn, includesthe hop count in theDHCP header in the response sent back to a DHCP client.

DHCP relay option 82Option 82 is called the relay agent information option. When aDHCP relay agent forwards client-originatedDHCP packets to a DHCP server, the option 82 field is inserted/replaced, or the packet with this option isdropped. Servers recognizing the relay agent information optionmay use the information to implementpolicies for the assignment of IP addresses and other parameters. The relay agent relays the server-to-clientreplies to the client.

If a second relay agent is configured to add its own option 82 information, it can encapsulate option 82information inmessages from a first relay agent. TheDHCP server uses the option 82 information fromboth relay agents to decide the IP address for the client.

Inter-VRF DHCP relayTheDHCP relay agent supports anycast gateway using option 82 sub-option 5 (RFC 3527). TheDHCP relaydiscovery packet is filled with the client's gateway IP address in sub-option 5 (discovery packet). TheDHCPserver uses this information to offer an IP address from the right pool. Pool selection occurs by matchingthe default gateway configuration settings on theDHCP server with the requested gateway IP address insub-option 5 in the discovery packet.

The switch uses DHCP relay sub-option 151 to enable DHCP relay to forward discovery and reply packetsbetween VXLAN DHCP clients and DHCP servers even when they are on different overlay or underlay VRFsand theDHCP-server is reachable on the default VRF or one of the overlay VRFs.

In general deployments, a renewal of a DHCP client's IP occurs when the client sends a request to theDHCPserver directly. In the case of EVPN VXLAN clients, the DHCP server is not directly reachable. Instead, therenewal request is sent to theDHCP relay. DHCP relay agent fills the option 82 sub-option 11 field in theDHCP discovery packet with the client's gateway IP on the VTEP (which is the relay interface IP address ofthe VTEP) and theDHCP server returns a DHCP offer reply packet with option 54 set to theDHCP serverIdentifier. When the reply packet is received by the client, the client uses the IP in option 54 to sentsubsequent renewal requests to this IP (VTEP's Relay Interface IP) using sub-option 11 (also known as theServer ID Override Sub-option). Refer to RFC 5107 formore details.


DHCP client | 60

Sub-options 5,11,151,152 are filled in the discover packet, only if a source IP address is defined (using thecommand ip source-address) for the given DHCP server's source VRF. If the server does not understandsub-option 151, then the server will add sub-option 152 in offer packet.

In an inter-VRF situation, when both DHCP relay and DHCP snooping are enabled on the switch with option82, DHCPv4 clients will not receive an IP address.

Configuring a BOOTP/DHCP relay gatewayTheDHCP relay agent selects the lowest-numbered IP address on the interface to use for DHCPmessages.TheDHCP server then uses this IP address when it assigns client addresses. However, this IP addressmaynot be the same subnet as the one on which the client needs theDHCP service. This feature provides awayto configure a gateway address for theDHCP relay agent to use for relayed DHCP requests, rather than theDHCP relay agent automatically assigning the lowest-numbered IP address.

Configuring the DHCPv4 relay agent


Prerequisites

n An enabled layer 3 interface.

Procedure

1. TheDHCPv4 relay agent is enabled by default. If it was previously disabled, enable it with thecommand dhcp-relay.

2. Configure one ormore IP helper addresses with the command ip helper-address. This determineswhere theDHCPv4 agent forwards DHCP requests. IP helper addresses can be configured on layer 3interfaces, layer 3 VLAN interfaces, and LAG interfaces.

3. If you want to modify the content of forwarded DHCP packets or drop DHCP packets, configureoption 82 support with the command dhcp-relay option 82.

4. Define the gateway address that the DHCPv4 agent will usewith the command ip bootp-gateway.5. If required, enable the hop count increment featurewith the command dhcp-relay hop-count-

increment.6. ReviewDHCPv4 relay agent configuration settings with the commands show dhcp-relay, show ip

helper-address, and show dhcp-relay bootp-gateway.


n Enables theDHCPv4 relay agent.n Enables interface 1/1/1 and assigns an IPv4 address to it. (By default, all interfaces are layer 3 and

disabled.)n Defines an IP helper address of 10.10.20.209 on the interface.n Enables DHCP option 82 support and replaces all option 82 information with the values from the switch

with the switchMAC address as the remote ID.

switch(config)# dhcp-relayswitch(config)# interface 1/1/1

switch(config-if)# no shutdownswitch(config-if)# ip address 198.51.100.1/24switch(config-if)# ip helper-address 10.10.20.209switch(config-if)# exitswitch(config)# dhcp-relay option 82 replace macswitch# show dhcp-relayDHCP Relay Agent : EnabledDHCP Request Hop Count Increment : EnabledOption 82 : DisabledResponse Validation : DisabledOption 82 Handle Policy : replaceRemote ID : mac

DHCP Relay Statistics:

Valid Requests Dropped Requests Valid Responses Dropped Responses-------------- ---------------- --------------- -----------------60 10 60 10

DHCP Relay Option 82 Statistics:


DHCPv4 relay scenario 1In this scenario, DHCP relay on the server enables two hosts to obtain their IP addresses from aDHCPserver on a different subnet. The physical topology of the network looks like this:

Procedure

1. DHCP relay is enabled by default. If it was previously disabled, enable it.switch# configswitch(config)# dhcp-relay

2. Define an IPv4 helper address on interfaces 1/1/1 and 1/1/2 .switch(config)# interface 1/1/1switch(config-if)# ip address 192.168.2.11/24switch(config-if)# ip helper-address 192.168.1.1switch(config-if)# interface 1/1/2switch(config-if)# ip address 192.168.2.12/24switch(config-if)# ip helper-address 192.168.1.1switch(config-if)# quit


DHCP client | 62

3. Verify DHCP relay configuration.

switch# show dhcp-relay

DHCP Relay Agent : EnabledDHCP Request Hop Count Increment : EnabledL2VPN Clients : DisabledOption 82 : DisabledSource-Interface : DisabledResponse Validation : DisabledOption 82 Handle Policy : replaceRemote ID : mac





switch# show ip helper-addressIP Helper Addresses

Interface: 1/1/1IP Helper Address VRF----------------- -----------------192.168.1.1 default

Interface: 1/1/2IP Helper Address VRF----------------- -----------------192.168.1.1 default

DHCPv4 relay scenario 2In this scenario, host on switch 1 reaches theDHCP server on switch two via a LAG. The physical topology ofthe network looks like this:

Procedure

1. On switch 1:a. Create LAG 100 and assign an IP address to it.

switch# configswitch(config)# interface lag 100switch(config-lag-if)# ip address 10.0.10.1/24switch(config-lag-if)# lacp mode activeswitch(config-lag-if)# exitswitch(config)#

b. Assign an IP address to interface 1/1/1 and a an IP helper address to reach theDHCP server.switch(config)# interface 1/1/1switch(config-if)# ip address 20.0.0.1/8switch(config-if)# ip helper-address 9.0.0.2

c. Assign interfaces 1/1/2 and 1/1/3 to LAG 100switch(config-if)# interface 1/1/2switch(config-if)# lag 100switch(config-if)# interface 1/1/3switch(config-if)# lag 100switch(config-if)# exitswitch(config)#

d. Create a route between 10.0.10.2 and 9.0.0.0.switch(config)# ip route 9.0.0.0/24 10.0.10.2

2. On switch 2:a. Create LAG 100 and assign an IP address to it.

switch# configswitch(config)# interface lag 100switch(config-lag-if)# ip address 10.0.10.2/24switch(config-lag-if)# lacp mode activeswitch(config-lag-if)# exitswitch(config)#

b. Assign interfaces 1/1/1 and 1/1/2 to LAG 100switch(config-if)# interface 1/1/2switch(config-if)# lag 100switch(config-if)# interface 1/1/3switch(config-if)# lag 100switch(config-if)# exitswitch(config)#

c. Assign an IP address to interface 1/1/3.switch(config)# interface 1/1/3switch(config-if)# ip address 9.0.0.1/24

d. Create a route between 20.0.0.0 and 10.0.10.1.switch(config)# ip route 20.0.0.0/8 10.0.10.1

DHCPv4 relay commands

dhcp-relaydhcp-relayno dhcp-relay

DescriptionEnables DHCP relay support. DHCP relay is enabled by default. DHCP relay is not supported on themanagement interface.

The no form of this command disables DHCP relay support.

ExamplesThis example enables DHCP relay support.


DHCP client | 64

switch(config)# dhcp-relay

This example removes DHCP relay support.

switch(config)# no dhcp-relay

Command History


10.07 or earlier --

Command Information


4100i config Administrators or local user groupmembers with execution rightsfor this command.

dhcp-relay hop-count-incrementdhcp-relay hop-count-incrementno dhcp-relay hop-count-increment

DescriptionEnables theDHCP relay hop count increment feature, which causes theDHCP relay agent to increment thehop count in all relayed DHCP packets. Hop count is enabled by default.

The no form of this command disables the hop count increment feature.

ExamplesEnabling the hop count increment feature.

switch(config)# dhcp-relay hop-count-increment

Disabling the hop count increment feature.

switch(config)# no dhcp-relay hop-count-increment

Command History


10.07 or earlier --

Command Information



dhcp-relay l2vpn-clientsdhcp-relay l2vpn-clientsno dhcp-relay l2vpn-clients

DescriptionEnables forwarding of packets from L2 VPN clients. Forwarding is enabled by default.

The no form of this command disables forwarding of packets from L2 VPN clients.

ExampleEnabling forwarding of packets from L2 VPN clients.

switch(config)# dhcp-relay l2vpn-clientsswitch(config)# no dhcp-relay l2vpn-clients

Command History


10.07 or earlier --

Command Information



dhcp-relay option 82dhcp-relay option 82 {replace [validate] | drop [validate] |

keep | source-interface | validate [replace | drop]} [ip | mac]no dhcp-relay option 82 {replace [validate] | drop [validate] |

keep | source-interface | validate [replace | drop]} [ip | mac]

DescriptionConfigures the behavior of DHCP relay option 82. A DHCP relay agent can receive amessage from anotherDHCP relay agent having option 82. The relay information from the previous relay agent is replaced bydefault.

The no form of this command disables theDHCP relay option 82 configurations.


replace Replace the existing option 82 field in an inbound client DHCPpacket with the information from the switch. The remote ID andcircuit ID information from the first relay agent is lost. Default.


DHCP client | 66


validate Validate option 82 information in DHCP server responses and dropinvalid responses.

drop Drop any inbound client DHCP packet that contains option 82information.

keep Keep the existing option 82 field in an inbound client DHCP packet.The remote ID and circuit ID information from the first relay agentis preserved.

source-interface Configures the DHCP relay to use a configured source IP addressfor inter-VRF server reachability. Set the source IP address with thecommand ip source-interface.

ip Use the IP address of the interface on which the client DHCPpacket entered the switch as the option 82 remote ID.

mac Use the MAC address of the switch as the option 82 remote ID.Default.

ExampleThis example enables DHCP option 82 support and replaces all option 82 information with the values fromthe switch, with the switchMAC address as the remote ID.

switch(config)# dhcp-relay option 82 replace mac

Command History


10.07 or earlier --

Command Information



ip bootp-gatewayip bootp-gateway <IPV4-ADDR>no ip bootp-gateway <IPV4-ADDR>

DescriptionConfigures a gateway address for theDHCP relay agent to use for DHCP requests. By default DHCP relayagent picks the lowest-numbered IP address on the interface.

The no form of this command removes the gateway address.


<IPV4-ADDR> Specifies the IP address of the gateway in IPv4 format (x.x.x.x),where x is a is a decimal number from 0 to 255.

ExamplesSets the IP address of the gateway for interface 1/1/1 to 10.10.10.10.

switch(config)# interface 1/1/1switch(config-if)# ip bootp-gateway 10.10.10.10

Command History


10.07 or earlier --

Command Information


4100i config-if Administrators or local user groupmembers with execution rightsfor this command.

ip helper-addressip helper-address <IPV4-ADDR> [vrf <VRF-NAME>]no ip helper-address <IPV4-ADDR> [vrf <VRF-NAME>]

DescriptionDefines the address of a remote DHCP server or DHCP relay agent. Up to eight addresses can be defined.TheDHCP agent forwards DHCP client requests to all defined servers.

This command requires that you define a source IP address for DHCP relay with the command ip source-

interface. The configured source IP on the VRF is used to forward DHCP packets to the server.

A helper address cannot be defined on theOOBM interface.

The no form of this command removes an IP helper address.


helper-address <IPV4-ADDR> Specifies the helper IP address in IPv4 format (x.x.x.x), where xis a decimal number from 0 to 255.

vrf <VRF-NAME> Specifies the name of a VRF. Default: default.

Examples


DHCP client | 68

Defining the IP helper address 10.10.10.209 on interface 1/1/1.

switch(config)# interface 1/1/1switch(config-if)# ip helper-address 10.10.10.209

Removing the IP helper address 10.10.10.209 on interface 1/1/1.

switch(config-if)# no ip helper-address 10.10.10.209

Command History


10.07 or earlier --

Command Information



show dhcp-relayshow dhcp-relay

DescriptionShows DHCP relay configuration settings.

Example

switch# show dhcp-relay

DHCP Relay Agent : EnabledDHCP Request Hop Count Increment : EnabledL2VPN Clients : DisabledOption 82 : DisabledSource-Interface : DisabledResponse Validation : DisabledOption 82 Handle Policy : replaceRemote ID : mac





Command History


10.07 or earlier --

Command Information


4100i Manager (#) Operators or Administrators or local user groupmembers withexecution rights for this command. Operators can execute thiscommand from the operator context (>) only.

show dhcp-relay bootp-gatewayshow dhcp-relay bootp-gateway [interface <INTERFACE-NAME>]

DescriptionShows the bootp gateway defined for all interfaces or a specific interface.


<INTERFACE-NAME> Specifies an interface. Format: member/slot/port.

Examples

switch# show dhcp-relay bootp-gateway

BOOTP Gateway Entries

Interface Source IP-------------------- ---------------1/1/1 1.1.1.11/1/2 1.1.1.2

switch# show ip helper-address interface 1/1/1

BOOTP Gateway Entries

Interface Source IP-------------------- ---------------1/1/1 1.1.1.1

Command History


10.07 or earlier --

Command Information


DHCP client | 70



show ip helper-addressshow ip helper-address [interface <INTERFACE-ID>]

DescriptionShows the helper IP addresses defined for all interfaces or a specific interface.


interface <INTERFACE-ID> Specifies an interface. Format: member/slot/port.

Example

switch#IP Helper Addresses

Interface: 1/1/1IP Helper Address VRF----------------- -----------------192.168.20.1 default192.168.10.1 default

Interface: 1/1/2IP Helper Address VRF----------------- -----------------192.168.30.1 RED

switch# show ip helper-address interface 1/1/1IP Helper Addresses

Interface: 1/1/1IP Helper Address VRF----------------- -----------------192.168.20.1 default192.168.10.1 default

Command History


10.07 or earlier --

Command Information


4100i Manager (#) Operators or Administrators or local user groupmembers with


execution rights for this command. Operators can execute thiscommand from the operator context (>) only.

DHCPv6 relay agent


Configuring the DHCPv6 relay agent


Prerequisites

n An enabled layer 3 interface.

Procedure

1. Enable theDHCPv6 agent with the command dhcpv6-relay.2. Configure one ormore IP helper addresses with the command ipv6 helper-address. This

determines where theDHCPv6 agent forward DHCP requests.3. If you want to enable DHCP option 79 support to forward client link-layer addresses, use the

command dhcpv6-relay option 79.4. ReviewDHCPv6 relay agent configuration settings with the commands show dhcpv6-relay and show

ipv6 helper-address.


n Enables theDHCPv6 relay agent.n Enables interface 1/1/2 and assigns an IPv6 address to it. (By default, all interfaces are layer 3 and

disabled.)n Defines an IP helper address of FF01::1:1000 on interface 1/1/2.n Enables DHCP option 79.

switch(config)# dhcpv6-relayswitch(config)# interface 1/1/2switch(config-if)# no shutdownswitch(config-if)# ipv6 address 2001:0db8:85a3::8a2e:0370:7334/24switch(config-if)# ip helper-address FF01::1:1000switch(config-if)# exitswitch(config)# dhcpv6-relay option 79

DHCPv6 relay scenario 1In this scenario, DHCP relay on the server enables two hosts to obtain their IP addresses from aDHCPserver on a different subnet. The physical topology of the network looks like this:


DHCP client | 72

Procedure

1. Enable DHCP relay.switch# configswitch(config)# dhcpv6-relay

2. Define an IPv6 helper address on interfaces 1/1/1 and 1/1/2 .switch(config)# interface 1/1/1switch(config-if)# ipv6 address 2002::22/64switch(config-if)# ipv6 helper-address 2001::1switch(config-if)# interface 1/1/2switch(config-if)# ipv6 address 2002::21/64switch(config-if)# ipv6 helper-address 2001::1switch(config-if)# quit

3. Verify DHCP relay configuration.switch# show dhcpv6-relayDHCPv6 Relay Agent : EnabledOption 79 : Disabled

switch# show ipv6 helper-address

Interface: 1/1/1IPv6 Helper Address Egress Port---------------------------------------------- -----------2001::1 1/1/3

Interface: 1/1/2IPv6 Helper Address Egress Port-------------------------------------------- -----------2001::1 1/1/3

DHCP relay (IPv6) commands

dhcpv6-relaydhcpv6-relayno dhcpv6-relay

DescriptionEnables DHCPv6 relay support. DHCPv6 relay is disabled by default.

DHCP relay is not supported on themanagement interface

The no form of this command disables DHCP relay support.

ExamplesEnables DHCPv6 relay support.

switch(config)# dhcpv6-relay

Removes DHCPv6 relay support.

switch(config)# no dhcpv6-relay

Command History


10.07 or earlier --

Command Information



dhcpv6-relay option 79dhcpv6-relay option 79no dhcpv6-relay option 79

DescriptionEnables support for DHCP relay option 79. When enabled, the DHCPv6 relay agent forwards the link-layeraddress of the client. This option is disabled by default.

The no form of this command disables support for DHCP relay option 79.

ExamplesEnables DHCP option 79 support.

switch(config)# dhcpv6-relay option 79

Disables DHCP option 79 support.

switch(config)# no dhcpv6-relay option 79

Command History


DHCP client | 74


10.07 or earlier --

Command Information



ipv6 helper-addressipv6 helper-address unicast <UNICAST-IPV6-ADDR>no ipv6 helper-address unicast <UNICAST-IPV6-ADDR>ipv6 helper-address multicast {all-dhcp-servers | <MULTICAST-IPV6-ADDR>} egress <PORT-NUM>no ipv6 helper-address multicast {all-dhcp-servers | <MULTICAST-IPV6-ADDR>} egress <PORT-NUM>

DescriptionDefines the address of a remote DHCPv6 server or DHCPv6 relay agent. Up to eight addresses can bedefined. TheDHCPv6 agent forwards DHCPv6 client requests to all defined servers.

Not supported on theOOBM interface.

The no form of this command removes an IP helper address.


<UNICAST-IPV6-ADDR> Specifies the unicast helper IP address in IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F.

<MULTICAST-IPV6-ADDR> Specifies the multicast helper IP address in IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F.

all-dhcp-servers Specifies all the DHCP server IPv6 addresses for the interface.

egress <PORT-NUM> Specifies the port number on which DHCPv6 service requests arerelayed to a multicast destination. The egress port must bedifferent than the one on which the multicast helper address isconfigured. Format: member/slot/port.

vrf <VRF-NAME> Specifies the name of the VRF from which the specified protocolsets its source IP address.

ExamplesDefining amulticast IPv6 helper address of 2001:DB8::1 on port 1/1/2:

switch(config-if)# ipv6 helper-address multicast 2001:DB8:0:0:0:0:0:1 egress 1/1/2

Removing the IP helper address of 2001:DB8::1 on port 1/1/2:

switch(config-if)# no ipv6 helper-address multicast 2001:DB8:0:0:0:0:0:1 egress1/1/2

Command History


10.07 or earlier --

Command Information



show dhcpv6-relayshow dhcpv6-relay

DescriptionShows DHCP relay configuration settings.

Example

switch# show dhcpv6-relayDHCPv6 Relay Agent : EnabledOption 79 : Enabled

Command History


10.07 or earlier --

Command Information



show ipv6 helper-addressshow ipv6 helper-address [interface <INTERFACE-ID>]

DescriptionShows the helper IP addresses defined for all interfaces or a specific interface.


DHCP client | 76


interface <INTERFACE-ID> Specifies an interface. Format: member/slot/port.

Examples

switch# show ipv6 helper-address

Interface: 1/1/1IPv6 Helper Address Egress Port---------------------------------------------- -----------2001:db8:0:1:: -FF01::1:1000 1/1/2

Interface: 1/1/2IPv6 Helper Address Egress Port-------------------------------------------- -----------2001:db8:0:1:: -

switch# show ipv6 helper-address interface 1/1/1


switch# show ipv6 helper-address interface 1/1/1


Command History


10.07 or earlier --

Command Information



http-proxyhttp-proxy {<FQDN | IPV4-ADDR>} [vrf <VRF-NAME>]no http-proxy [<FQDN | IPV4-ADDR>] [vrf <VRF-NAME>]

DescriptionSpecifies HTTP proxy location and VRF.

The no form of this command removes a specified HTTP proxy location.


<FQDN> Specifies FQDN for HTTP proxy location.

<IPV4-ADDR> Specifies IPV4 address for HTTP proxy location.

<VRF-NAME> Specifies VRF for HTTP proxy.

A FQDN or IPV4 address are optional in the no form of the command.

Usage

n HTTP proxy location can be configured using the CLI/REST interface or auto-configured through theDHCP server connected to the switch.

n There are three sources for HTTP proxy location:o User configured HTTP proxy via CLI or REST interface.o DHCP options received viamanagement/OOBM port.o DHCP options received via VLAN 1 on supported switch platforms.

nn Operational configuration for HTTP proxy location is determined by the sourcewith the highest priority.Source priority:

1. User configured.2. DHCP options received viamanagement/OOBM port.3. DHCP options received via VLAN 1.

n HTTP proxy location can only be a FQDN or an IPV4 address.

n When HTTP proxy location and VRF are configured, they override any existing HTTP proxy location and VRF.

n If this command is executed without the VRF parameter, the default VRF will be used.

n Port number may need to be specified at the end of the IP address for FQDN to connect via HTTP proxy.

o For example, 8088 is the TCP port number: http-proxy 192.168.248.248:8088

ExamplesSpecifying a FQDN for HTTP proxy location and MGMT VRF:

switch(config)# http-proxy http-proxy.aruba.com vrf mgmt

Removing HTTP proxy location

switch(config)# no http-proxy

Command History


DHCP client | 78


10.07 or earlier --

Command Information



Chapter 6DHCP snooping

DHCP snoopingDHCP is a protocol used by DHCP servers in IP networks to dynamically allocate network configuration datato client devices (DHCP clients). Possible network configuration data includes user IP address, subnet mask,default gateway IP address, DNS server IP address, and lease duration. TheDHCP protocol enables DHCPclients to be dynamically configured with such network configuration data without any manual setupprocess.

DHCP snooping is a security feature that helps avoid problems caused by an unauthorized DHCP server onthe network that provides invalid configuration data to DHCP clients. A user without malicious intent maycause this problemby unknowingly adding to the network a switch or other device that includes a DHCPserver enabled by default. In some cases, a user withmalicious intent adds a DHCP server to the network aspart of their Denial of Service orMan in theMiddle attack.

DHCP snooping helps prevent such problems by distinguishing between trusted ports connected tolegitimate DHCP servers and untrusted ports connected to general users. DHCP packets are forwardedbetween trusted ports without inspection. DHCP packets received on other switch ports are inspectedbefore being forwarded. DHCP Packets fromuntrusted sources are dropped.

DHCP Snooping and DHCP relay can be configured on the same switch.

When DHCP snooping and DHCP relay are both enabled on a VLAN, the following actions occur:

n Received packet: DHCP snooping processes the DHCP packet before (possibly) handing it to DHCP relay.

n Transmitted packet: DHCP packets sent by DHCP relay are intercepted by DHCP snooping to learn IPbindings.

For evenmore rigorous security that is applied in hardware on a packet-by-packet basis, you can use IP sourcelockdown feature as described in IP source lockdown.

DHCP server interoperationDHCP servermay not be configured with DHCP snooping.

DHCPv4 snooping conditions for dropping DHCPv4 packetsApplies only to DHCPv4 snooping.

Packet types that aredropped Conditions for dropping the packets

DHCPOFFER, DHCPACK,DHCPNACK

n A packet from a DHCP server is received on an untrusted port.n The switch is configured with a list of authorized DHCP server addresses


DHCP snooping | 80

Packet types that aredropped Conditions for dropping the packets

and a DHCP response received on a trusted port, but the source IP addressis not an authorized DHCP server.

DHCPRELEASE, DHCPDECLINE n A broadcast packet that has a MAC address in the DHCP binding database,but the port in the DHCP binding database does not match the port onwhich the packet is received.

All DHCP packet types n A DHCP packet received on an untrusted port in which the DHCP clienthardware MAC address does not match the source MAC address in thepacket.

n A DHCP packet containing DHCP relay information (option 82) is receivedon an untrusted port.

Protocol details1. When a port is configured as a trusted port, all the dynamic IP binding entries learned on that port

will be deleted.2. When a client is connected on a trusted port, the dynamic IP binding entries will not be learned on the

switch, even though the client gets an IP address.3. If DHCPv4 snooping is enabled on two back-to-back access switches, DHCP packets will be dropped,

Since by default option 82 is enabled on DHCPv4 snooping and the default policy is drop. The secondswitch with DHCPv4 snooping enabled drops the packets. In this scenario the user should enableDHCPv4 snooping option 82 on one switch, or else you can disable on both.

DHCPv4 snooping commands

clear dhcpv4-snooping bindingclear dhcpv4-snooping binding {all | ip <IPV4-ADDR> vlan <VLAN-ID> | port <PORT-NUM> | vlan<VLAN-ID>}

DescriptionClears DHCPv4 snooping binding entries.


all Specifies that all DHCPv4 binding information is to be cleared.

ip <IPV4-ADDR> vlan <VLAN-ID> Specifies the IPv4 address and VLAN for which all DHCPv4 bindinginformation is to be cleared.

port <PORT-NUM> Specifies the port number for which all DHCPv4 bindinginformation is to be cleared.

vlan <VLAN-ID> Specifies the VLAN for which all DHCPv4 binding information is tobe cleared.

Examples

Clearing all DHCPv4 binding information for IP address 192.168.2.4 and VLAN 5:

switch(config)# clear dhcpv4-snooping binding ip 192.168.2.4 vlan 5

Clearing all DHCPv4 binding information for port 1/1/1:

switch(config)# clear dhcpv4-snooping binding port 1/1/1

Clearing all DHCPv4 binding information for VLAN 10:

switch(config)# clear dhcpv4-snooping binding vlan 10

Clearing all DHCPv4 binding information:

switch(config)# clear dhcpv4-snooping binding all

Command History


10.09.1000 Command introduced for the 8360 Switch Series.

10.09 Command introduced for the 6000 and 6100 Switch Series.

10.07 or earlier Command introduced for the 4100i Switch Series.

Command Information


4100i60006100

Operator (>) or Manager(#)


clear dhcpv4-snooping statisticsclear dhcpv4-snooping statistics

DescriptionClears all DHCPv4 snooping statistics.

ExamplesClear all DHCPv4 snooping statistics:

switch# clear dhcpv4-snooping statistics

Command History


DHCP snooping | 82





Command Information


4100i60006100



dhcpv4-snoopingdhcpv4-snoopingno dhcpv4-snooping

DescriptionEnables DHCPv4 snooping. DHCPv4 snooping is disabled by default. DHCP snooping is not supported on themanagement interface.The no form of the command disables DHCPv4 snooping, flushing all the IP bindings learned since DHCPv4snooping was enabled.

ExamplesEnabling DHCPv4 snooping:

switch(config)# dhcpv4-snooping

Disabling DHCPv4 snooping:

switch(config)# no dhcpv4-snooping

Command History





Command Information


4100i config Administrators or local user groupmembers with execution rights


60006100

for this command.

dhcpv4-snooping (in config-vlan context)dhcpv4-snoopingno dhcpv4-snooping

DescriptionEnables DHCPv4 snooping for the specified VLAN in the config-vlan context. DHCPv4 snooping is disabledby default for all VLANs.

The no formof the command disables DHCPv4 snooping on the specified VLAN, flushing all the IP bindingslearned for this VLAN since DHCPv4 snooping was enabled for this VLAN.

ExamplesEnabling DHCPv4 snooping on VLAN 100:

switch(config)# vlan 100switch(config-vlan-100)# dhcpv4-snoopingswitch(config-vlan-100)# exitswitch(config)#

Disabling DHCPv4 snooping on VLAN 100:

switch(config)# vlan 100switch(config-vlan-100)# no dhcpv4-snoopingswitch(config-vlan-100)# exitswitch(config)#

Command History





Command Information


4100i60006100

config-vlan Administrators or local user groupmembers with execution rightsfor this command.

dhcpv4-snooping allow-overwrite-bindingdhcpv4-snooping allow-overwrite-binding


DHCP snooping | 84

no dhcpv4-snooping allow-overwrite-binding

DescriptionAllows binding to be overwritten for the same IP address. When enabled, and aDHCP server offers a hostan IP address that is already bound to an existing host in the binding table, the existing binding isoverwritten for the new host if the new host is successfully able to acquire the same IP address. Thisoverwriting is disabled by default, causing theDHCP server offers to be dropped.

The no formof the command disables DHCPv4 snooping overwrite binding.

ExamplesEnabling DHCPv4 snooping overwrite binding:

switch(config)# dhcpv4-snooping allow-overwrite-binding

Disabling DHCPv4 snooping overwrite binding:

switch(config)# no dhcpv4-snooping allow-overwrite-binding

Command History





Command Information


4100i60006100

config Administrators or local user groupmembers with execution rightsfor this command.

dhcpv4-snooping authorized-serverdhcpv4-snooping authorized-server <IPV4-ADDR> [vrf <VRF-NAME>]no dhcpv4-snooping authorized-server <IPV4-ADDR> [vrf <VRF-NAME>]

DescriptionAdds an authorized (trusted) DHCP server to a list of authorized servers for use by DHCPv4 snooping. Thiscommand can be issuedmultiple times, adding amaximumof 20 authorized servers per VRF. By default,with an empty list of authorized servers, all DHCP servers are considered to be trusted for DHCPv4snooping purposes.

The mgmt VRF cannot be used with this command.

The no formof this command deletes the specified DHCP server from the authorized list.


<IPV4-ADDR> Specifies the IPv4 address of the trusted DHCPv4 server.

vrf <VRF-NAME> Specifies the VRF name.

UsageFor authorized server lookup, the VRF is derived from the Switch Virtual Interface (SVI) configured for theincoming VLAN. If the SVI is not configured, the default VRF is assumed.

ExamplesAdding DHCP servers 192.168.2.2, 192.168.2.3, and 192.168.2.10 to the authorized server list:

switch(config)# dhcpv4-snooping authorized-server 192.168.2.2switch(config)# dhcpv4-snooping authorized-server 192.168.2.3 vrf defaultswitch(config)# dhcpv4-snooping authorized-server 192.168.2.10 vrf default

Removing DHCP server 192.168.2.3 from the authorized server list:

switch(config)# no dhcpv4-snooping authorized-server 192.168.2.3 vrf default

Command History





Command Information


4100i60006100


dhcpv4-snooping external-storagedhcpv4-snooping external-storage volume <VOL-NAME> file <FILE-NAME>no dhcpv4-snooping external-storage volume <VOL-NAME> file <FILE-NAME>

DescriptionConfigures external storage to be used for backing up IP bindings (used by DHCPv4 snooping) to a file.When configured, the switch stores all the IP bindings in an external storage file so that they are retainedafter the switch restarts. When the switch restarts, it reads the IP bindings from the configured externalstorage file to populate its local cache.


DHCP snooping | 86

When both external storage and flash storage are configured to store DHCP snooping IP bindings, the externalstorage takes priority, and is used exclusively until it becomes unconfigured, at which time flash storage (ifconfigured) is used. Later, if external storage is configured again, flash storage stops and external storageresumes.

The no formof this command disables the saving of IP bindings in an external storage file.


volume <VOL-NAME> Specifies the name of the existing external storage volume wherethe IP bindings file will be saved. Before running the dhcpv4-snooping external-storage volume command, first createthe external storage volume using command external-storage<VOLUME-NAME>. See External storage commands in the

Command-Line Interface Guide.

file <FILE-NAME> Specifies the file name to use for storing IP bindings. Maximum255 characters.

Configuring IP bindings storage in file dsnoop_ipbindings on existing volume dhcp_snoop:

switch(config)# dhcpv4-snooping external-storage volume dhcp_snoop file dsnoop_ipbindings

Disabling external storage:

switch(config)# no dhcpv4-snooping external-storage volume dhcp_snoop

Disabling external storagewhen flash storage is also configured (note themessage indicating that flashstoragewill be used):

switch(config)# no dhcpv4-snooping external-storage volume dhcp_snoopDHCPv4-Snooping will use flash storage to store IP Binding databaseswitch(config)#

Command History




10.08 Updated example with flash storage information.


Command Information


4100i60006100


dhcpv4-snooping flash-storagedhcpv4-snooping flash-storage [delay <DELAY>]no dhcpv4-snooping flash-storage [delay <DELAY>]

DescriptionConfigures switch flash storage to be used for backing up client IP bindings (used by DHCPv4 snooping).When flash storage is configured (and external storage is not already configured for this purpose), theswitch stores the IP bindings in switch flash storage. When the switch restarts, it reads the IP bindings fromthe switch flash storage to populate its local cache.

Writing the IP bindings to flash storage only occurs after the configured delay and if there has been a changein client IP bindings. Writing is skipped when client IP bindings have not changed since the previous write.

Omitting delay <DELAY> sets the default delay of 900 seconds.

To reduce switch flash aging it is recommended that you use external storage (command dhcpv4-snoopingexternal-storage) to backup DHCP snooping IP bindings. Alternatively, consider configuring flash storage with asubstantial delay between writes.


The no formof this command disables the saving of IP bindings in flash storage.


delay <DELAY> Specifies the delay in seconds between writes (when necessary) tothe flash storage, Default: 900. Range: 300 to 86400.

ExamplesConfiguring switch flash storage for DHCP snooping IP binding storagewith awrite delay of 1200 seconds:

switch(config)# dhcpv4-snooping flash-storage delay 1200Warning: Using flash storage reduces switch lifetime. It is recommended to use anexternal-storage.Do you want to continue (y/n)? yswitch(config)#

Unconfiguring usage of switch flash storage for IP bindings :


DHCP snooping | 88

switch(config)# no dhcpv4-snooping flash-storage

Command History




10.08 Command introduced for the 4100i Switch Series.

Command Information


4100i60006100


dhcpv4-snooping max-bindingsdhcpv4-snooping max-bindings <MAX-BINDINGS>no dhcpv4-snooping max-bindings <MAX-BINDINGS>

DescriptionSets themaximumnumber of DHCP bindings allowed on the selected interface. For all interfaces on whichthis command is not run, the default max binding is themaximum value of the range.

The no formof the command revertsmax bindings for the selected interface to its default.


<MAX-BINDINGS> Specifies the maximum number of DHCP bindings. Range: 0 to256.

ExamplesSet theDHCPmax bindings to 256 on interface 1/1/1:

switch(config)# interface 1/1/1switch(config-if)# dhcpv4-snooping max-bindings 256switch(config-if)# exitswitch(config)#

Revert DHCPmax bindings to its default on interface 1/1/1:

switch(config)# interface 1/1/1switch(config-if)# no dhcpv4-snooping max-bindings 256switch(config-if)# exitswitch(config)#

Command History





Command Information


4100i60006100

config-if Administrators or local user groupmembers with execution rightsfor this command.

dhcpv4-snooping option 82dhcpv4-snooping option 82 [remote-id {mac | subnet-ip}]

[untrusted-policy {drop | keep | replace}]no dhcpv4-snooping option 82 [remote-id {mac | subnet-ip}]

[untrusted-policy {drop | keep | replace}]

DescriptionConfigures the addition of option 82 DHCP relay information to DHCP client packets that are beingforwarded on trusted ports. DHCP relay is enabled by default.

In the switch default state and when this command is entered without parameters (dhcpv4-snoopingoption 82), this default configuration is used:dhcpv4-snooping option 82 remote-id mac untrusted-policy drop

When remote-id is omitted, its default (mac) is used. When untrusted-policy is omitted, its default (drop) isused.

The no formof this command disables DHCPv4 snooping option 82.


remote-id Specifies what address to use as the remote ID for the replaceoption of untrusted-policy. Specify one of these address types:

mac The default. Uses the switch MAC address as the remote ID.

subnet-ip Uses the IP address of the client VLAN as the remote ID.

untrusted-policy Specifies what action to take for DHCP packets (with option 82)that are received on untrusted ports. Specify one of these actions:

drop The default. Drop DHCP packets (with option 82) withoutforwarding them.

keep Forward DHCP packets (with option 82).

replace Replace the option 82 information in the DHCP packets withwhatever is set for remote-id (one of: mac, subnet-ip, or mgmt-ip) and forward the packets.


DHCP snooping | 90

ExamplesConfiguring DHCPv4 snooping option 82 with the keep action:

switch(config)# dhcpv4-snooping option 82 untrusted-policy keep

Disabling DHCPv4 snooping option 82:

switch(config)# no dhcpv4-snooping option 82 untrusted-policy keep

Command History





Command Information


4100i60006100


dhcpv4-snooping trustdhcpv4-snooping trustno dhcpv4-snooping trust

DescriptionEnables DHCPv4 snooping trust on the selected port. Only server packets received on trusted ports areforwarded. All the ports are untrusted by default.

The no form of the command disables DHCPv4 snooping trust on the selected port.

ExamplesEnabling DHCPv4 snooping trust on interface 2/2/1:

switch(config)# interface 2/2/1switch(config-if)# dhcpv4-snooping trustswitch(config-if)# exitswitch(config)#

Disabling DHCPv4 snooping trust on interface 2/2/1:

switch(config)# interface 2/2/1switch(config-if)# no dhcpv4-snooping trust

switch(config-if)# exitswitch(config)#

Command History





Command Information


4100i60006100


dhcpv4-snooping verify macdhcpv4-snooping verify macno dhcpv4-snooping verify mac

DescriptionThis command enables verification of the hardware address field in DHCP client packets. When enabled, theDHCP client hardware address field and the sourceMAC addressmust be the same for packets received onuntrusted ports or else the packet is dropped. This DHCP snoopingMAC verification is enabled by default.

The no formof the command disables DHCPv4 snoopingMAC verification.

ExamplesEnabling DHCPv4 snoopingMAC verification:

switch(config)# dhcpv4-snooping verify mac

Disabling DHCPv4 snoopingMAC verification:

switch(config)# no dhcpv4-snooping verify mac

Command History






DHCP snooping | 92

Command Information


4100i60006100


show dhcpv4-snoopingshow dhcpv4-snooping

DescriptionShows theDHCPv4 snooping configuration.

ExamplesShowing theDHCPv4 snooping configuration:

switch(config)# show dhcpv4-snooping

DHCPv4-Snooping Information

DHCPv4-Snooping : Yes Verify MAC Address : YesAllow Overwrite Binding : Yes Enabled VLANs : 1,5,7,100-110

Option 82 Configurations

Untrusted Policy : replace Insertion : YesOption 82 Remote-id : mac

External Storage Information

Volume Name : ipbindingFile Name : ipv4BindingsInactive Since : 01:23:20 09/10/2021Error : File Write Failure

Flash Storage Information

File Write Delay : 300 seconds

Active Storage : External

Authorized Server Configurations

VRF Authorized Servers------------ ------------------default 1.1.10.3default 10.10.10.1default 10.10.10.56default 200.10.10.3green 1.1.10.3green 1.10.10.3green 10.10.100.3red 192.168.122.53red 192.168.122.121

Port Information

Max Static DynamicPort Trust Bindings Bindings Bindings-------- ----- -------- -------- --------1/1/2 Yes 5000 50 01/1/3 Yes 8192 0 01/1/5 Yes 8192 0 221/1/16 No 100 0 010/10/10 No 8100 320 200lag120 No 512 0 0

Command History






Command Information


4100i60006100



show dhcpv4-snooping bindingshow dhcpv4-snooping binding

DescriptionShows theDHCPv4 snooping binding configuration.

ExamplesShowing theDHCPv4 snooping binding configuration:

switch(config)# show dhcpv4-snooping binding

MacAddress IP VLAN Interface Time-Left----------------- --------------- ---- --------- ---------aa:b1:c1:dd:ee:ff 10.2.3.4 1 1/1/2 582aa:b2:c2:dd:ee:ff 10.2.3.5 1 1/1/2 584

Command History


DHCP snooping | 94





Command Information


4100i60006100



show dhcpv4-snooping statisticsshow dhcpv4-snooping statistics

DescriptionShows theDHCPv4 snooping statistics.

ExamplesShowing theDHCPv4 snooping statistics:

switch(config)# show dhcpv4-snooping statistics

Packet-Type Action Reason Count----------- ------- ----------------------------- ---------server forward from trusted port 5425client forward to trusted port 3895server drop received on untrusted port 117server drop unauthorized server 214client drop destination on untrusted port 78client drop untrusted option 82 field 85client drop bad DHCP release request 0client drop failed verify MAC check 5client drop failed on max-binding limit 15

Command History





Command Information


4100i60006100



DHCPv6 snooping commands

clear dhcpv6-snooping bindingclear dhcpv6-snooping binding {all | ip <IPV6-ADDR> vlan <VLAN-ID> | interface <IFNAME> |vlan <VLAN-ID>}

DescriptionClears DHCPv6 snooping binding entries.


all Specifies that all DHCPv6 binding information is to be cleared.

ip <IPV6-ADDR> vlan <VLAN-ID> Specifies the IPv6 address and VLAN for which all DHCPv6 bindinginformation is to be cleared.

interface <IFNAME> Specifies the interface for which all DHCPv6 binding information isto be cleared.

vlan <VLAN-ID> Specifies the VLAN for which all DHCPv6 binding information is tobe cleared. Range: 1 to 4094.

ExamplesClearing all DHCPv6 binding information for 5000::1 vlan 1:

switch(config)# clear dhcpv6-snooping binding ip 5000::1 vlan 1

Clearing all DHCPv6 binding information for interface 1/1/10:

switch(config)# clear dhcpv6-snooping binding interface 1/1/10

Clearing all DHCPv6 binding information for VLAN 10:

switch(config)# clear dhcpv6-snooping binding vlan 10

Clearing all DHCPv6 binding information:

switch(config)# clear dhcpv6-snooping binding all

Command History


DHCP snooping | 96





Command Information


4100i60006100



clear dhcpv6-snooping statisticsclear dhcpv6-snooping statistics

DescriptionClears all DHCPv6 snooping statistics.

ExamplesClear all DHCPv6 snooping statistics:

switch# clear dhcpv6-snooping statistics

Command History





Command Information


4100i60006100



dhcpv6-snoopingdhcpv6-snoopingno dhcpv6-snooping

Description

Enables DHCPv6 snooping. DHCPv6 snooping is disabled by default. DHCPv6 snooping is not supported onthemanagement interface.

The no formof the command disables DHCPv6 snooping, flushing all the IP bindings learned since DHCPv6snooping was enabled.

ExamplesEnabling DHCPv6 snooping:

switch(config)# dhcpv6-snooping

Disabling DHCPv6 snooping:

switch(config)# no dhcpv6-snooping

Command History





Command Information


4100i60006100


dhcpv6-snooping (in config-vlan context)dhcpv6-snoopingno dhcpv6-snooping

DescriptionEnables DHCPv6 snooping in the config-vlan context. DHCPv6 snooping is disabled by default for allVLANs.

The no formof the command disables DHCPv6 snooping on the specified VLAN, flushing all the IPv6bindings learned for this VLAN since DHCPv6 snooping was enabled for this VLAN.

ExamplesEnabling DHCPv6 snooping on VLAN 100:

switch(config)# vlan 100switch(config-vlan-100)# dhcpv6-snooping


DHCP snooping | 98

switch(config-vlan-100)# exitswitch(config)#

Disabling DHCPv6 snooping on VLAN 100:

switch(config)# vlan 100switch(config-vlan-100)# no dhcpv6-snoopingswitch(config-vlan-100)# exitswitch(config)#

Command History





Command Information


4100i60006100

config-vlan Administrators or local user groupmembers with execution rightsfor this command.

dhcpv6-snooping authorized-serverdhcpv6-snooping authorized-server <IPV6-ADDR> [vrf <VRF-NAME>]no dhcpv6-snooping authorized-server <IPV6-ADDR> [vrf <VRF-NAME>]

DescriptionAdds an authorized (trusted) DHCPv6 server to a list of authorized servers for use by DHCPv6 snooping.This command can be issuedmultiple times, adding amaximumof 20 authorized servers per VRF. Bydefault, with an empty list of authorized servers, all DHCPv6 servers are considered to be trusted forDHCPv6 snooping purposes.

The mgmt VRF cannot be used with this command.

Configure the link local IPv6 address instead of global IPv6 address of the DHCPv6 server as the authorized-server. For example:

switch(config)# dhcpv6-snooping authorized-server fe80::2ca4:fa40:d4cd:bc2f

The no formof this command deletes the specified DHCPv6 server from the authorized list.


<IPV6-ADDR> Specifies the IPv6 address of the trusted DHCPv6 server.

vrf <VRF-NAME> Specifies the VRF name.

UsageFor authorized server lookup, the VRF is derived from the Switch Virtual Interface (SVI) configured for theincoming VLAN. If the SVI is not configured, the default VRF is assumed.

ExamplesAdding DHCP servers ABCD:5ACD::2000, and ABCD:5ACD::2010 to the authorized server list:

switch(config)# dhcpv6-snooping authorized-server ABCD:5ACD::2000 vrf defaultswitch(config)# dhcpv6-snooping authorized-server ABCD:5ACD::2010 vrf default

Removing DHCP server ABCD:5ACD::2000 from the authorized server list:

switch(config)# no dhcpv6-snooping authorized-server ABCD:5ACD::2000 vrf default

Command History





Command Information


4100i60006100


dhcpv6-snooping external-storagedhcpv6-snooping external-storage volume <VOL-NAME> file <FILE-NAME>no dhcpv6-snooping external-storage volume <VOL-NAME> file <FILE-NAME>

DescriptionConfigures external storage to be used for backing up IPv6 bindings (used by DHCPv6 snooping) to a file.When configured, the switch stores all the IP bindings in an external storage file so that they are retainedafter the switch restarts. When the switch restarts, it reads the IPv6 bindings from the configured externalstorage file to populate its local cache.


DHCP snooping | 100


The no formof this command disables the saving of IPv6 bindings in an external storage file.


volume <VOL-NAME> Specifies the name of the existing external storage volume wherethe IPv6 bindings file will be saved. Before running the dhcpv6-snooping external-storage volume command, first createthe external storage volume using command external-storage<VOLUME-NAME>. See External storage commands in the Command-Line Interface Guide.

file <FILE-NAME> Specifies the file name to use for storing IPv6 bindings. Maximum255 characters.

ExamplesConfiguring IPv6 bindings storage in file ipv6Bindings on existing volume dhcp_snoop:

switch(config)# dhcpv6-snooping external-storage volume dhcp_snoop file ipv6Bindings

Disabling external storage:

switch(config)# no dhcpv6-snooping external-storage volume dhcp_snoop

Disabling external storagewhen flash storage is also configured (note themessage indicating that flashstoragewill be used):

switch(config)# no dhcpv6-snooping external-storage volume dhcp_snoopDHCPv6-Snooping will use flash storage to store IP Binding databaseswitch(config)#

Command History





Command Information


4100i60006100


dhcpv6-snooping flash-storagedhcpv6-snooping flash-storage [delay <DELAY>]no dhcpv6-snooping flash-storage [delay <DELAY>]

DescriptionConfigures switch flash storage to be used for backing up client IP bindings (used by DHCPv6 snooping).When flash storage is configured (and external storage is not already configured for this purpose), theswitch stores the IP bindings in switch flash storage. When the switch restarts, it reads the IP bindings fromthe switch flash storage to populate its local cache.

Writing the IP bindings to flash storage only occurs after the configured delay and if there has been a changein client IP bindings. Writing is skipped when client IP bindings have not changed since the previous write.

Omitting delay <DELAY> sets the default delay of 900 seconds.

To reduce switch flash aging it is recommended that you use external storage (command dhcpv6-snoopingexternal-storage) to backup DHCP snooping IP bindings. Alternatively, consider configuring flash storage with asubstantial delay between writes.


The no formof this command disables the saving of IP bindings in flash storage.


delay <DELAY> Specifies the delay in seconds between writes (when necessary) tothe flash storage, Default: 900. Range: 300 to 86400.

ExamplesConfiguring switch flash storage for DHCP snooping IP binding storagewith awrite delay of 1200 seconds:

switch(config)# dhcpv6-snooping flash-storage delay 1200Warning: Using flash storage reduces switch lifetime. It is recommended to use anexternal-storage.Do you want to continue (y/n)? yswitch(config)#

Unconfiguring usage of switch flash storage for IP bindings :


DHCP snooping | 102

switch(config)# no dhcpv6-snooping flash-storage

Command History




10.08 Command introduced for the 4100i Switch Series.

Command Information


4100i60006100


dhcpv6-snooping max-bindingsdhcpv6-snooping max-bindings <MAX-BINDINGS>no dhcpv6-snooping max-bindings <MAX-BINDINGS>

DescriptionSets themaximumnumber of DHCPv6 bindings allowed on the selected interface. For all interfaces onwhich this command is not run, the default max binding is themaximum value of the range.

The no formof the command revertsmax bindings for the selected interface to its default.


<MAX-BINDINGS> Specifies the maximum number of DHCP bindings. Range: 0 to256.

ExamplesSet theDHCPv6 max bindings to 256 on interface 1/1/1:

switch(config)# interface 1/1/1switch(config-if)# dhcpv6-snooping max-bindings 256switch(config-if)# exitswitch(config)#

Revert DHCPv6 max bindings to its default on interface 1/1/1:

switch(config)# interface 1/1/1switch(config-if)# no dhcpv6-snooping max-bindings 256switch(config-if)# exitswitch(config)#

Command History





Command Information


4100i60006100


dhcpv6-snooping trustdhcpv6-snooping trustno dhcpv6-snooping trust

DescriptionEnables DHCPv6 snooping trust on the selected interface. Only server packets received on trustedinterfaces are forwarded. All the interfaces are untrusted by default.

The no formof the command disables DHCPv6 snooping trust on the selected interface.config-if

ExamplesEnabling DHCPv6 snooping trust on interface 2/2/1:

switch(config)# interface 2/2/1switch(config-if)# dhcpv6-snooping trustswitch(config-if)# exitswitch(config)#

Disabling DHCPv6 snooping trust on interface 2/2/1:

switch(config)# interface 2/2/1switch(config-if)# no dhcpv6-snooping trustswitch(config-if)# exitswitch(config)#

Command History






DHCP snooping | 104

Command Information


4100i60006100


show dhcpv6-snoopingshow dhcpv6-snooping

DescriptionShows theDHCPv6 snooping configuration.

ExamplesShowing theDHCPv6 snooping configuration:

switch(config)# show dhcpv6-snooping

DHCPv6-Snooping Information

DHCPv6-Snooping : Yes Enabled VLANs : 1,5,7,100-110

External Storage Information

Volume Name : dhcp_snoopFile Name : ip_bindingInactive Since : 01:23:20 09/10/2021Error : Failed to write external storage

Flash Storage Information

File Write Delay : 300 seconds

Active Storage : External

Authorized Server Configurations

VRF Authorized Servers------------ ------------------default 2001:0db8:85a3:0000:0000:8a2e:0370:7334default 2002::2default 2004::1red 2002::1red 2002::2red 2002::9green 5000::1green 5000::2green 5000::3green 5000::7green 5000::8

Port Information

Max Static DynamicPort Trust Bindings Bindings Bindings-------- ----- -------- -------- --------1/1/2 Yes 0 0 0

1/1/3 Yes 0 3 01/1/5 Yes 0 22 01/1/16 No 256 0 2010/10/10 No 256 12 7lag120 No 256 3 0

Command History





Command Information


4100i60006100



show dhcpv6-snooping bindingshow dhcpv6-snooping binding

DescriptionShows theDHCPv6 snooping binding configuration.

ExamplesShowing theDHCPv6 snooping binding configuration:

switch# show dhcpv6-snooping binding

IP Binding Information======================MAC-ADDRESS IPV6-ADDRESS VLAN INTERFACE TIME-LEFT---------------- ---------------------------------------- ---- --------- ----------00:50:56:96:e4:cf aaaa:bbbb:cccc:dddd:eeee:1234:5678:abcd 1 1/1/158400:50:56:96:04:4d 1000::3 134 1/1/243500:50:56:96:d8:3d 2000:1000::4 2002 lag12321234

Command History


DHCP snooping | 106





Command Information


4100i60006100



show dhcpv6-snooping statisticsshow dhcpv6-snooping statistics

DescriptionShows theDHCPv6 snooping statistics.

ExamplesShowing theDHCPv6 snooping statistics:

switch(config)# show dhcpv6-snooping statistics

Packet-Type Action Reason Count----------- ------- ----------------------------- ---------server forward from trusted port 12client forward to trusted port 20server drop received on untrusted port 5server drop unauthorized server 4client drop destination on untrusted port 2client drop bad DHCP release request 5server drop relay reply on untrusted port 2client drop failed on max-binding limit 5

Command History





Command Information


4100i60006100




Chapter 7Internet Control Message Protocol

(ICMP)

Internet Control Message Protocol (ICMP)The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. Theprotocol is used by network devices, including routers, to send errormessages and operational information.For example, an ICMPmessagemight indicate that a requested service is not available. Another example ofan ICMPmessagemight be that a host or router could not be reached.

ICMP message typesThe type field identifies the type of message sent by the host or gateway.

Type ICMP messages

0 Echo Reply (Ping Reply, used with Type 8, Ping Request)

3 Destination Unreachable

4 Source Quench

5 Redirect

8 Echo Request (Ping Request, used with Type 0, Ping Reply)

9 Router Advertisement (Used with Type 9)

10 Router Solicitation (Used with Type 10)

11 Time Exceeded

12 Parameter Problem

13 Timestamp Request (Used with Type 14)

14 Timestamp Reply (Used with Type 13)

15 Information Request (obsolete) (Used with Type 16)

16 Information Reply (obsolete) (Used with Type 15)

17 Address Mask Request (Used with Type 17)

18 Address Mask Reply (Used with Type 18)

When ICMP messages are sent


Internet Control Message Protocol (ICMP) | 109

ICMPmessages are sent when one ormore of the following scenarios occur:

n A datagram cannot reach its destination.n The gateway does not have the buffering capacity to forward a datagram.n The gateway can direct the host to send traffic on a shorter route.

ICMP redirect messagesICMP redirect messages are used by routers to notify the hosts on the data link that a better route isavailable for a particular destination.

When ICMP redirect messages are sentThe switch is configured to send redirects by default. ICMP redirect messages are sent when one ormore ofthe following scenarios occur:

n The interface on which the packet comes into the router is the same interface on which the packet getsrouted out.

n The subnet or network of the source IP address is on the same subnet or network of the next-hop IPaddress of the routed packet.

n The datagram is not source-routed.n The destination unicast address is unreachable. In this case, the router generates the ICMP destination

unreachablemessage to inform the source host about the situation.

ICMP commands

ip icmp redirectip icmp redirectno ip icmp redirect

DescriptionEnables the sending of ICMPv4 and ICMPv6 redirect messages to the source host. Enabled by default.

The no form of this command disables ICMPv4 and ICMPv6 redirect messages to the source host.

ExamplesEnabling ICMP redirect messages:

switch(config)# ip icmp redirect

Disabling ICMP redirect messages:

switch(config)# no ip icmp redirect

Command History


10.07 or earlier --

Command Information



ip icmp throttleip icmp throttle <PACKET-INTERVAL>no ip icmp throttle [<PACKET-INTERVAL>]

DescriptionUsed to configure the throttle parameter for both ICMPv4 and ICMPv6 errormessages and redirectmessages.

The no form of this command disables the throttle parameter for both ICMPv4 and ICMPv6 errormessagesand redirect messages.


<PACKET-INTERVAL> Specifies the ICMPv4/v6 packet interval in seconds. Default: 1second. Range: 1-86400.

ExamplesEnabling the throttle parameter for both ICMPv4 and ICMPv6 errormessages and redirect messages:

switch(config)# ip icmp throttle 3000

Disabling the throttle parameter for both ICMPv4 and ICMPv6 errormessages and redirect messages:

switch(config)# no ip icmp throttle

Command History


10.8 Added the optional <PACKET-INTERVAL> parameter to the noform of the command.

10.07 or earlier --

Command Information


Internet Control Message Protocol (ICMP) | 111



ip icmp unreachableip icmp unreachableno ip icmp unreachable

DescriptionEnables the sending of ICMPv4 and ICMPv6 destination unreachablemessages on the switch to a sourcehost when a specific host is unreachable. The unreachable host address originates from the failed packed.Default setting.

The no form of this command disables the sending of ICMPv4 and ICMPv6 destination unreachablemessages from the switch to a source host when a specific host is unreachable. This command does notprevent other hosts from sending an ICMP unreachablemessage.

ExamplesEnabling ICMPv4 and ICMPv6 destination unreachablemessages to a source host:

switch(config)# ip icmp unreachable

Disabling ICMPv4 and ICMPv6 destination unreachablemessages to a source host:

switch(config)# no ip icmp unreachable

Command History


10.07 or earlier --

Command Information



Chapter 8DNS

DNSTheDomain Name System (DNS) is the Internet protocol formapping a hostname to its IP address. DNSallows users to entermore readily memorable and intuitive hostnames, rather than IP addresses, to identifydevices connected to a network. It also allows a host to keep the same hostname even if it changes its IPaddress.

Hostname resolution can be either static or dynamic.

n In static resolution, a local table is defined on the switch that associates hostnameswith their IPaddresses. Static tables can be used to speed up the resolution of frequently queried hosts.

n Dynamic resolution requires that the switch query a DNS server located elsewhere on the network.Dynamic name resolution takesmore time than static name resolution, but requires far less configurationandmanagement.

DNS clientTheDNS client resolves hostnames to IP addresses for protocols that are running on the switch. When theDNS client receives a request to resolve a hostname, it can do so in one of two ways:

n Forward the request to a DNS name server for resolution.n Reply to the request without using a DNS name server, by resolving the nameusing a statically defined

table of hostnames and their associated IP addresses.

Configuring the DNS clientProcedure

1. Configure one ormoreDNS name servers with the command ip dns server.2. To resolve DNS requests by appending a domain name to the requests, either configure a single

domain namewith the command ip dns domain-name, or configure a list of up to six domain nameswith the command ip dns domain-list.

3. To use static name resolution for certain hosts, associate an IP address to a host with the commandip dns host.

4. Review your DNS configuration settings with the command show ip dns.

ExamplesThis example creates the following configuration:

n Defines the domain switch.com to append to all requests.n Defines a DNS server with IPv4 address of 1.1.1.1.n Defines a static DNS host namedmyhost1 with an IPv4 address of 3.3.3.3.n DNS client traffic is sent on the default VRF (named default).


DNS | 113

switch(config)# ip dns domain-name switch.comswitch(config)# ip dns server-address 1.1.1.1switch(config)# ip dns host myhost1 3.3.3.3switch(config)# exitswitch# show ip dns

VRF Name : defaultDomain Name: switch.comName Server(s): 1.1.1.1

Host Name Address--------------------------------------------------------------------------------myhost1 3.3.3.3switch#

DNS client commands

ip dns domain-listip dns domain-list <DOMAIN-NAME> [vrf default]no ip dns domain-list <DOMAIN-NAME> [vrf default]

DescriptionConfigures one ormore domain names that are appended to theDNS request. TheDNS client appendseach name in succession until the DNS server replies. Domains can be either IPv4 or IPv6. By default,requests are forwarded on the default VRF.

The no form of this command removes a domain from the list.


list <DOMAIN-NAME> Specifies a domain name. Up to six domains can be added to thelist. Length: 1 to 256 characters.

ExamplesThis example defines a list with two entries: domain1.com and domain2.com.

switch(config)# ip dns domain-list domain1.comswitch(config)# ip dns domain-list domain2.com

This example removes the entry domain1.com.

switch(config)# no ip dns domain-list domain1.com

Command History


10.07 or earlier --

Command Information



ip dns domain-nameip dns domain-name <DOMAIN-NAME> [ vrf <VRF-NAME> ]no ip dns domain-name <DOMAIN-NAME> [ vrf <VRF-NAME> ]

DescriptionConfigures a domain name that is appended to theDNS request. The domain can be either IPv4 or IPv6. Bydefault, requests are forwarded on the default VRF. If a domain list is defined with the command ip dns

domain-list, the domain namedefined with this command is ignored.

The no form of this command removes the domain name.


<DOMAIN-NAME> Specifies the domain name to append to DNS requests. Length: 1to 256 characters.

vrf <VRF-NAME> Specifies a VRF name. Default: default.

ExamplesSetting the default domain name to domain.com:

switch(config)# ip dns domain-name domain.com

Removing the default domain name domain.com:

switch(config)# no ip dns domain-name domain.com

Command History


10.07 or earlier --

Command Information



ip dns hostip dns host <HOST-NAME> <IP-ADDR> [ vrf <VRF-NAME> ]no ip dns host <HOST-NAME> <IP-ADDR> [ vrf <VRF-NAME> ]

Description


DNS | 115

Associates a static IP address with a hostname. TheDNS client returns this IP address instead of querying aDNS server for an IP address for the hostname. Up to six hosts can be defined. If no VRF is defined, thedefault VRF is used.

The no form of this command removes a static IP address associated with a hostname.


host <HOST-NAME> Specifies the name of a host. Length: 1 to 256 characters.

<IP-ADDR> Specifies an IP address in IPv4 format (x.x.x.x), where x is adecimal number from 0 to 255, or IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F.


ExamplesThis example defines an IPv4 address of 3.3.3.3 forhost1.

switch(config)# ip dns host host1 3.3.3.3

This example defines an IPv6 address of b::5 forhost 1.

switch(config)# ip dns host host1 b::5

This example defines removes the entry for host 1 with address b::5.

switch(config)# no ip dns host host1 b::5

Command History


10.07 or earlier --

Command Information



ip dns server addressip dns server-address <IP-ADDR> [ vrf <VRF-NAME> ]no ip dns server-address <IP-ADDR> [ vrf <VRF-NAME> ]

Description

Configures theDNS name servers that the DNS client queries to resolve DNS queries. Up to six nameservers can be defined. TheDNS client queries the servers in the order that they are defined. If no VRF isdefined, the default VRF is used.

The no form of this command removes a name server from the list.


<IP-ADDR> Specifies an IP address in IPv4 format (x.x.x.x), where x is adecimal number from 0 to 255, or IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F.


ExamplesThis example defines a name server at 1.1.1.1.

switch(config)# ip dns server-address 1.1.1.1

This example defines a name server at a::1.

switch(config)# ip dns server-address a::1

This example removes a name server at a::1.

switch(config)# no ip dns server-address a::1

Command History


10.07 or earlier --

Command Information



show ip dnsshow ip dns [vrf <VRF-NAME>]

DescriptionShows all DNS client configuration settings or the settings for a specific VRF.


DNS | 117


vrf <VRF-NAME> Specifies the VRF for which to show information. If no VRF isdefined, the default VRF is used.

Examples

Command History


10.07 or earlier --

Command Information


All platforms Manager (#) Operators or Administrators or local user groupmembers withexecution rights for this command. Operators can execute thiscommand from the operator context (>) only.

Chapter 9ARP

ARPARP (Address Resolution Protocol) is used to map the network address assigned to a device to its physicaladdress. For example, on an Ethernet network, ARPmaps layer 3 IPv4 network addresses to layer 2 MACaddresses. (ARP does not work with IPv6 addresses. Instead, theNeighbor discovery protocol is used.)

ARP operates at layer 2. ARP requests are broadcast to all devices on the local network segment and are notforwarded by routers. ARP is enabled by default and cannot be disabled.

Proxy ARPProxy ARP allows a routing switch to answer ARP requests fromdevices on one network on behalf of deviceson another network. The ARP proxy is aware of the location of the traffic destination, and offers its ownMAC address as the final destination.

For example, if Proxy ARP is enabled on a routing switch connected to two subnets (10.10.10.0/24 and20.20.20.0/24), the routing switch can respond to an ARP request from 10.10.10.69 for theMAC address ofthe devicewith IP address 20.20.20.69.

Typically, the host that sent the ARP request then sends its packets to the switch that has the ARP proxy.This switch then forwards the packets to the intended host through amechanism such as a tunnel.

Proxy ARP is supported on L3 physical and VLAN interfaces. It is disabled by default. To enable proxy ARP,routingmust be enabled on the interface.

Local proxy ARPLocal proxy ARP is a technique by which a device on a given network answers the ARP queries for a hostaddress that is on the same network. It is primarily used to enable layer 3 communication between hostswithin a common subnet that are separated by layer 2 boundaries (Example: PVLAN). Local proxy ARP issupported on L3 physical and VLAN interfaces.

Local proxy ARP is disabled by default. Routingmust be enabled on the interface to enable local proxy ARP.

Dynamic ARP inspection

Dynamic ARP inspection is supported only on the Aruba 6000 and 6100 Switch Series.

ARP is used for resolving IP against MAC addresses on a broadcast network segment like the Ethernet andwas originally defined by Internet Standard RFC 826. ARP does not support any inherent securitymechanism and as such depends on simple datagram exchanges for the resolution, withmany of thesebeing broadcast.

Because it is an unreliable and non-secure protocol, ARP is vulnerable to attacks. Some attacksmay betargeted toward the networks whereas other attacksmay be targeted toward the switch itself. The attacksprimarily intend to create denial of service (DoS) for the other entities present in the network.

Most of the attacks are carried out in one of the following three forms:

n Overwhelming the switch control planewith toomany ARP packets.n Overwhelming the switch control planewith toomany unresolved data packets.n Masquerading as a trusted gateway/server by wrongly advertising ARPs.


ARP | 119

Several defensemechanisms can be put in place on a switch to protect against attacks:

n Limit the amount of ARP activity allowed from a host or on a port.n Ensure that all ARP packets are consistent with one ormore binding databases, which can be created

through variousmeans.n Enforce integrity checks on the ARP packets to check against different MAC or IP addresses in the

Ethernet or IP header and ARP header.

Only the following is supported:

n Enabling and disabling of Dynamic ARP Inspection on a VLAN level (it does not have to be SVI).n Defining themember ports of a VLAN as either trusted or untrusted.n Only ARP traffic on untrusted ports subjected to checks.n Routed ports (RoPs) always treated as trusted.n Listening to theDHCP Bindings table and check every ARP packet to match against the binding.

ARP ACLs are not supported in this release and theDHCP snooping table will be the only source of binding.

ARP commands

arp inspectionarp inspection

DescriptionEnables Dynamic ARP Inspection on the current VLAN, forcing all ARP packets fromuntrusted ports to besubjected to aMAC-IP association check against a binding table.

The no form of this command disables Dynamic ARP Inspection on the VLAN.

ExamplesEnabling dynamic ARP inspection:

switch# configure terminalswitch(config)# vlan 1switch(config-vlan)# arp inspection

Disabling dynamic ARP inspection:

switch# configure terminalswitch(config)# vlan 1switch(config-vlan)# no arp inspection

Command History


10.07 or earlier --

Command Information


All platforms config-vlan-<VLAN-ID> Administrators or local user groupmembers with execution rightsfor this command.

arp inspection trustarp inspection trustno arp inspection trust

DescriptionConfigures the interface as a trusted. All interfaces are untrusted by default.

The no form of this command returns the interface to the default state (untrusted).

ExampleSetting an interface as trusted:

switch(config-if)# arp inspection trust

Command History


10.07 or earlier --

Command Information


All platforms config-if Administrators or local user groupmembers with execution rightsfor this command.

arp ipv4 macarp ipv4 <IPV4_ADDR> mac <MAC_ADDR>no arp ipv4 <IPV4_ADDR> mac <MAC_ADDR>

DescriptionSpecifies a permanent static neighbor entry in the ARP table (for IPv4 neighbors).

The no form of this command deletes a permanent static neighbor entry from the ARP table.


ipv4 <IPV4-ADDR> Specifies the IP address of the neighbor or the virtual IP address ofthe cluster in IPv4 format (x.x.x.x), where x is a decimal numberfrom 0 to 255. . Range: 4096 to 131072. Default: 131072.

mac <MAC-ADDR> Specifies the MAC address of the neighbor or the multicast MACaddress in IANA format (xx:xx:xx:xx:xx:xx), where x is ahexadecimal number from 0 to F. Range: 4096 to 131072. Default:131072.


ARP | 121

ExampleConfiguring a static ARP entry on a interface VLAN 10:

switch(config)# interface vlan 10switch(config-if-vlan)# arp ipv4 2.2.2.2 mac 01:00:5e:00:00:01

Removing a static ARP entry on interface VLAN10:

switch(config)# interface vlan 10switch(config-if-vlan)# no arp ipv4 2.2.2.2 mac 01:00:5e:00:00:01

Command History


10.07 or earlier --

Command Information


All platforms config-ifconfig-if-vlan


clear arpclear arp [port <PORT-ID> | vrf {all-vrfs | <VRF-NAME>}]

DescriptionClears IPv4 and IPv6 neighbor entries from the ARP table. If you do not specify any parameters, ARP tableentries are cleared for the default VRF.


port <PORT-ID> Specifies a physical port on the switch. Format:member/slot/port. For example: vlan 2. .

all-vrfs Selects all VRFs.

<VRF-NAME> Specifies the name of a VRF. Default: default.

ExamplesClearing all IPv4 and IPv6 neighbor ARP entries for the default VRF:

switch# clear arp

Clearing all ARP neighbor entries for a port:

switch# clear arp vlan 2

Command History


10.07 or earlier --

Command Information



ip local-proxy-arpip local-proxy-arpno ip local-proxy-arp

DescriptionEnables local proxy ARP on the specified interface. Local proxy ARP is supported on Layer 3 physicalinterfaces and on VLAN interfaces. To enable local proxy ARP on an interface, routingmust be enabled onthat interface.

The no form of this command disables local proxy ARP on the specified interface.

ExamplesEnabling local proxy ARP on interface 1/1/1:

switch# interface 1/1/1switch(config-if)# ip local proxy-arp

Enabling local proxy ARP on interface VLAN 3:

switch# interface vlan 3switch(config-if-vlan)# ip local-proxy-arp

Disabling local proxy ARP on on interface 1/1/1.

switch# interface 1/1/1switch(config-if)# no ip local-proxy-arp

Command History


10.07 or earlier --

Command Information


ARP | 123


All platforms config-ifconfig-if-vlan


ipv6 neighbor macipv6 neighbor <IPV6-ADDR> mac <MAC-ADDR>no ipv6 neighbor <IPV6-ADDR> mac <MAC-ADDR>

DescriptionSpecifies a permanent static neighbor entry in the ARP table (for IPv6 neighbors).

The no form of this command deletes a permanent static neighbor entry from the ARP table.


<IPV6-ADDR>> Specifies an IP address in IPv6 format(xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx), where x is ahexadecimal number from 0 to F. Range: 4096 to 131072. Default:131072.

mac <MAC-ADDR>> Specifies the MAC address of the neighbor(xx:xx:xx:xx:xx:xx), where x is a hexadecimal number from 0to F. Range: 4096 to 131072. Default: 131072.

ExampleCreates a static ARP entry on interface vlan 2.

switch(config)# interface vlan 2switch(config-if-vlan)# arp ipv6 neighbor 2001:0db8:85a3::8a2e:0370:7334 mac00:50:56:96:df:c8

Command History


10.07 or earlier --

Command Information


All platforms config-if Administrators or local user groupmembers with execution rightsfor this command.

ip proxy-arpip proxy-arpno ip proxy-arp

Description

Enables proxy ARP for the specified Layer 3 interface. Proxy ARP is supported on Layer 3 physical interfaces,LAG interfaces, and VLAN interfaces. It is disabled by default. To enable proxy ARP on an interface, routingmust be enabled on that interface.

The no form of this command disables proxy ARP for the specified interface.

ExamplesEnabling proxy ARP on interface 1/1/1:

switch# interface 1/1/1switch(config-if)# ip proxy-arp

Enabling proxy ARP on VLAN 3:

switch# interface vlan 3switch(config-if-vlan)# ip proxy-arp

Enabling proxy ARP on a LAG 11:

switch(config)# int lag 11switch(config-lag-if)# ip proxy-arp

Disabling proxy ARP on interface 1/1/1:

switch# interface 1/1/1switch(config-if)# no ip proxy-arp

Command History


10.07 or earlier --

Command Information


All platforms config-ifconfig-if-vlanconfig-lag-vlan


show arpshow arp

DescriptionShows the entries in the ARP (Address Resolution Protocol) table.

Usage


ARP | 125

This command displays information about ARP entries, including the IP address, MAC address, port, andstate.

When no parameters are specified, the show arp command shows all ARP entries for the default VRF (VirtualRouter Forwarding) instance.

Examples

switch# show arp

IPv4 Address MAC Port Physical Port State-------------------------------------------------------------------------------192.168.1.2 00:50:56:96:7b:e0 vlan10 1/1/29 stale192.168.1.3 00:50:56:96:7b:ac vlan10 1/1/1 reachable

Total Number Of ARP Entries Listed- 2.-------------------------------------------------------------------------------

Command History


10.07 or earlier --

Command Information



show arp inspection interfaceshow arp inspection interface

DescriptionDisplays the current configuration of dynamic ARP inspection on a VLAN or interface.

Examples

switch# show arp inspection interface

---------------------------------------------------------------------------Interface Trust-State---------------------------------------------------------------------------1/1/1 Untrusted---------------------------------------------------------------------------

switch# show arp inspection interface vsx-peer

---------------------------------------------------------------------------Interface Trust-State---------------------------------------------------------------------------1/1/1 Untrusted

lag100 Trusted---------------------------------------------------------------------------

switch# show arp inspection interface 1/1/1

---------------------------------------------------------------------------Interface Trust-State---------------------------------------------------------------------------1/1/1 Untrusted---------------------------------------------------------------------------

Command History


10.07 or earlier --

Command Information




show arp inspection statisticsshow arp inspection statistics

DescriptionDisplays statistics about forwarded and dropped ARP packets.

Examples

switch# show arp inspection statistics vlan 1-200

-----------------------------------------------------------------VLAN Name Forwarded Dropped-----------------------------------------------------------------1 DEFAULT_VLAN_1 0 0-----------------------------------------------------------------

switch# show arp inspection statistics vlan

-----------------------------------------------------------------VLAN Name Forwarded Dropped-----------------------------------------------------------------1 DEFAULT_VLAN_1 0 0200 VLAN200 0 0-----------------------------------------------------------------

Command History


ARP | 127


10.07 or earlier --

Command Information




show arp stateshow arp state {all | failed | incomplete | permanent | reachable | stale}

DescriptionShows ARP (Address Resolution Protocol) cache entries that are in the specified state.


all Shows the ARP cache entries for all VRF (Virtual RouterForwarding) instances.

failed Shows the ARP cache entries that are in failed state. Theneighbor might have been deleted.

incomplete Shows the ARP cache entries that are in incomplete state.An incomplete state means that address resolution is in progressand the link-layer address of the neighbor has not yet beendetermined. A solicitation request was sent, and the switch iswaiting for a solicitation reply or a timeout.

permanent Shows the ARP cache entries that are in permanent state. ARPentries that are in a permanent state can be removed byadministrative action only.

reachable Shows the ARP cache entries that are in reachable state,meaning that the neighbor is known to have been reachablerecently.

stale Shows ARP cache entries that are in stale state.ARP cache entries are in the stale state if the elapsed time is inexcess of the ARP timeout in seconds since the last positiveconfirmation that the forwarding path was functioning properly.

Examples

switch# show arp state failed

IPv4 Address MAC Port Physical Port State---------------------------------------------------------------------------192.168.1.4 vlan10 failed

Command History


10.07 or earlier --

Command Information




show arp summaryshow arp summary [all-vrfs | vrf <VRF-NAME>]

DescriptionShows a summary of the IPv4 and IPv6 neighbor entries on the switch for all VRFs or a specific VRF.


all-vrfs Selects all VRFs.

vrf <VRF-NAME> Specifies the name of a VRF.

ExamplesShowing summary ARP information for all VRFs:

switch# show arp summary all-vrfs

ARP Entry's State : IPv4 IPv6-------------------------------------------------------

Number of Reachable ARP entries : 2 0

Number of Stale ARP entries : 0 0

Number of Failed ARP entries : 2 2

Number of Incomplete ARP entries : 0 0

Number of Permanent ARP entries : 0 0

-------------------------------------------------------

Total ARP Entries: 6 : 4 2

-------------------------------------------------------

Showing a summary of all IPv4 and IPv6 neighbor entries on the primary and secondary (peer) switches:


ARP | 129

vsx-primary# show arp summaryARP Entry's State IPv4 IPv6---------------------------------------------------------Number of Reachable ARP entries 25858 32231Number of Stale ARP entries 0 1Number of Failed ARP entries 0 257Number of Incomplete ARP entries 0 0Number of Permanent ARP entries 0 0---------------------------------------------------------Total ARP Entries- 58347 25858 32489

vsx-primary# show arp summary vsx-peerARP Entry's State IPv4 IPv6---------------------------------------------------------Number of Reachable ARP entries 25858 32168Number of Stale ARP entries 0 3Number of Failed ARP entries 0 317Number of Incomplete ARP entries 0 0Number of Permanent ARP entries 0 0---------------------------------------------------------Total ARP Entries- 58346 25858 32488---------------------------------------------------------

Command History


10.07 or earlier --

Command Information




show arp timeoutshow arp timeout [<INTERFACE>]

DescriptionShows the age-out period for each ARP (Address Resolution Protocol) entry for a port, LAG, or VLANinterface.


<INTERFACE> Specifies a physical port, VLAN, or LAG on the switch. For physicalports, use the format (for example, 1/3/1).

ExamplesShowing ARP timeout information for a VLAN:

switch# show arp timeout vlan2Port VRF Timeout----------------------------------------------------------vlan2 default 1800

Command History


10.07 or earlier --

Command Information




show arp vrfshow arp {all-vrfs | vrf <VRF-NAME>}

DescriptionShows the ARP table for all VRF instances, or for the named VRF.


all-vrfs Specifies all VRFs.

vrf <VRF-NAME> Specifies the name of a VRF. Length: 1 to 32 alphanumericcharacters.

ExamplesShowing ARP entries for VRF test.

switch# show arp vrf testARP IPv4 Entries:-------------------------------------------------------IPv4 Address MAC Port Physical Port State VRF10.20.30.40 00:50:56:bd:6a:c5 1/1/29 1/1/29 reachable test-------------------------------------------------------Total Number Of ARP Entries Listed: 1.-------------------------------------------------------

switch# show arp all-vrfsARP IPv4 Entries:-------------------------------------------------------IPv4 Address MAC Port Physical Port State VRF192.168.120.10 00:50:56:bd:10:be 1/1/32 1/1/32 reachable red10.20.30.40 00:50:56:bd:6a:c5 1/1/29 1/1/29 reachable test-------------------------------------------------------


ARP | 131

Total Number Of ARP Entries Listed: 2.-------------------------------------------------------

Showing ARP entries for all VRFs.

switch# show arp all-vrfsARP IPv4 Entries:-------------------------------------------------------IPv4 Address MAC Port Physical Port State VRF192.168.120.10 00:50:56:bd:10:be 1/1/32 1/1/32 reachable red10.20.30.40 00:50:56:bd:6a:c5 1/1/29 1/1/29 reachable test-------------------------------------------------------Total Number Of ARP Entries Listed: 2.-------------------------------------------------------

Command History


10.07 or earlier --

Command Information




show ipv6 neighborsshow ipv6 neighbors {all-vrfs | vrf <VRF-NAME>}

DescriptionShows entries in the ARP table for all IPv6 neighbors for all VRFs or for a specific VRF.

When no parameters are specified, this command shows all ARP entries for the default VRF, and stateinformation for reachable and stale entries only.


all-vrfs Specifies all VRFs.

vrf <VRF-NAME> Specifies the name of a VRF. Length: 1 to 32 alphanumericcharacters.

Examples

switch# show ipv6 neighborsIPv6 Entries:

-------------------------------------------------------

IPv6 Address MAC Port Physical Port State

fe80::a21d:48ff:fe8f:2700 a0:1d:48:8f:27:00 vlan2300 1/1/31 reachable

fe80::f603:43ff:fe80:a600 f4:03:43:80:a6:00 vlan2300 1/1/30 reachable

-------------------------------------------------------

Total Number Of IPv6 Neighbors Entries Listed: 2.

-------------------------------------------------------

Command History


10.07 or earlier --

Command Information




show ipv6 neighbors stateshow ipv6 neighbors state {all | failed | incomplete | permanent | reachable | stale}

DescriptionShows all IPv6 neighbor ARP (Address Resolution Protocol) cache entries, or those cache entries that are inthe specified state.


all Shows all ARP cache entries.

failed Shows ARP cache entries that are in failed state. The neighbormight have been deleted. Set the neighbor to be unreachable.

incomplete Shows ARP cache entries that are in incomplete state.An incomplete state means that address resolution is in progressand the link-layer address of the neighbor has not yet beendetermined. This means that a solicitation request was sent, andyou are waiting for a solicitation reply or a timeout.

permanent Shows ARP cache entries that are in permanent state.

reachable Shows ARP cache entries that are in reachable state, meaningthat the neighbor is known to have been reachable recently.

stale Shows ARP cache entries that are in stale state.


ARP | 133


ARP cache entries are in the stale state if the elapsed time is inexcess of the ARP timeout in seconds since the last positiveconfirmation that the forwarding path was functioning properly.

Example

switch# show ipv6 neighbors state all

IPv6 Address MAC Port Physical Port State--------------------------------------------------------------------------------100::2 48:0f:cf:af:f1:cc lag1 lag1 reachable300::3 48:0f:cf:af:33:be vlan3 1/4/20 reachablefe80::4a0f:cfff:feaf:f1cc 48:0f:cf:af:f1:cc lag1 lag1 reachable200::3 48:0f:cf:af:33:be 1/4/11 1/4/11 reachablefe80::4a0f:cfff:feaf:33be 48:0f:cf:af:33:be vlan3 1/4/20 reachable

Total Number Of IPv6 Neighbors Entries Listed- 5.---------------------------------------------------------------------------------

Command History


10.07 or earlier --

Command Information




Chapter 10Support and Other Resources

Support and Other Resources

Accessing Aruba Support

Aruba Support Services https://www.arubanetworks.com/support-services/

Aruba Support Portal https://asp.arubanetworks.com/

North America telephone 1-800-943-4526 (US & Canada Toll-Free Number)

+1-408-754-1200 (Primary - Toll Number)

+1-650-385-6582 (Backup - Toll Number - Use only when all othernumbers are not working)

International telephone https://www.arubanetworks.com/support-services/contact-support/

Be sure to collect the following information before contacting Support:

n Technical support registration number (if applicable)n Product name,model or version, and serial numbern Operating systemname and versionn Firmware versionn Errormessagesn Product-specific reports and logsn Add-on products or componentsn Third-party products or components

Other useful sitesOther websites that can be used to find information:

Airheads socialforums andKnowledgeBase

https://community.arubanetworks.com/

AOS-CX SwitchSoftwareDocumentationPortal

https://www.arubanetworks.com/techdocs/AOS-CX/help_portal/Content/home.htm

ArubaHardwareDocumentationandTranslations

https://www.arubanetworks.com/techdocs/hardware/DocumentationPortal/Content/home.htm


https://www.arubanetworks.com/support-services/

https://asp.arubanetworks.com/

https://www.arubanetworks.com/support-services/contact-support/

https://www.arubanetworks.com/support-services/contact-support/

https://community.arubanetworks.com/

https://www.arubanetworks.com/techdocs/AOS-CX/help_portal/Content/home.htm

https://www.arubanetworks.com/techdocs/hardware/DocumentationPortal/Content/home.htm

Support and Other Resources | 135

Portal

Aruba software https://asp.arubanetworks.com/downloads

Softwarelicensing

https://lms.arubanetworks.com/

End-of-Lifeinformation

https://www.arubanetworks.com/support-services/end-of-life/

ArubaDeveloper Hub

https://developer.arubanetworks.com/

Accessing UpdatesYou can access updates from the Aruba Support Portal or theHPEMy NetworkingWebsite.

Aruba Support Portalhttps://asp.arubanetworks.com/downloads

If you are unable to find your product in the Aruba Support Portal, youmay need to searchMy Networking,where older networking products can be found:

My Networkinghttps://www.hpe.com/networking/support

To view and update your entitlements, and to link your contracts and warranties with your profile, go to theHewlett Packard Enterprise Support CenterMore Information on Access to Support Materials page:https://support.hpe.com/portal/site/hpsc/aae/home/

Access to some updatesmight require product entitlement when accessed through theHewlett PackardEnterprise Support Center. Youmust have an HP Passport set up with relevant entitlements.

Some software products provide amechanism for accessing software updates through the productinterface. Review your product documentation to identify the recommended software updatemethod.

To subscribe to eNewsletters and alerts:

https://asp.arubanetworks.com/notifications/subscriptions (requires an active Aruba Support Portal (ASP)account to manage subscriptions). Security notices are viewablewithout an ASP account.

Warranty InformationTo viewwarranty information for your product, go to https://www.arubanetworks.com/support-services/product-warranties/.

Regulatory InformationTo view the regulatory information for your product, view the Safety and Compliance Information for Server,Storage, Power, Networking, and Rack Products, available at https://www.hpe.com/support/Safety-Compliance-EnterpriseProducts

Additional regulatory information

https://asp.arubanetworks.com/downloads

https://lms.arubanetworks.com/

https://www.arubanetworks.com/support-services/end-of-life/

https://developer.arubanetworks.com/

https://asp.arubanetworks.com/downloads

https://www.hpe.com/networking/support

https://support.hpe.com/portal/site/hpsc/aae/home/

https://asp.arubanetworks.com/notifications/subscriptions

https://www.arubanetworks.com/support-services/product-warranties/

https://www.arubanetworks.com/support-services/product-warranties/

https://www.hpe.com/support/Safety-Compliance-EnterpriseProducts

https://www.hpe.com/support/Safety-Compliance-EnterpriseProducts

Aruba is committed to providing our customers with information about the chemical substances in ourproducts as needed to comply with legal requirements, environmental data (company programs, productrecycling, energy efficiency), and safety information and compliance data, (RoHS andWEEE). Formoreinformation, see https://www.arubanetworks.com/company/about-us/environmental-citizenship/.

Documentation FeedbackAruba is committed to providing documentation that meets your needs. To help us improve thedocumentation, send any errors, suggestions, or comments to Documentation Feedback ([email protected]). When submitting your feedback, include the document title, part number, edition,and publication date located on the front cover of the document. For online help content, include theproduct name, product version, help edition, and publication date located on the legal notices page.


https://www.arubanetworks.com/company/about-us/environmental-citizenship/

mailto:[email protected]

mailto:[email protected]

Documents

AOS-CX 10.09 IP Services Guide (4100i, 6000, 6100)